Privacy Policy


This Privacy Policy provides you with the fullest and clearest information on the processing of your personal information under the General Data Protection Regulation (“GDPR”) (EU 2016/679) when you are accessing and/or using VENDITOR ULTIMUS’s Website, ATMs and related Services accessible on the website located at and on ATM machines operated by VENDITOR ULTIMUS (herein “Services”) for Users with registered and unregistered Accounts in accordance with the Terms of Service available at Terms of Service, or any and all other services and content accessible therein, offered by VENDITOR ULTIMUS.

The information published herein is limited to the collection and use of information with respect to your use of the Website, ATMs and related Services. It is important that you read this Privacy Policy together with any other privacy notice or policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. Other notices shall be published on our Website or should appear as a pop-up window when using ATMs operated by VENDITOR ULTIMUS. This Privacy Policy supplements the other notices and is not intended to override them.

“User”, “you” or “your” refers to the person, company or organization that uses our Website, ATMs or related Services and/or interacts with us through our Website. Unless otherwise indicated, terms used in this Privacy Policy shall have the same meaning as under Terms of Service and under GDPR.


Please read this Privacy Policy carefully before accessing or using Website, ATMs or related Services. By entering, connecting to, accessing or using the Website, ATMs or related Services and/or submitting your personal and other information in the registration procedure, you acknowledge that you have read and understood this Privacy Policy and you agree to collection and processing of your information in accordance with this Privacy Policy.



Under the GDPR, the controller is the subject that, alone or jointly with others, determines the purposes and means of the processing of personal information.

The controller for the data processing related to the activities on our Website (and ATMs) is VENDITOR ULTIMUS d.o.o., incorporated and registered in Republic of Slovenia, with a registered office at Štefančeva ulica 1, 1210 Ljubljana - Šentvid.

For any clarification, question or requirement related to your privacy and the processing of your personal data, please contact


Personal data, or personal information, means any information about an individual from which that person can be identified, directly or indirectly. We will collect and process various types of personal data about you for the purposes described in this Privacy Policy, including:

  • Profile Dataincludes your e-mail address and password, as well as your communication preferences and your communication with our support staff;
  • Transaction Dataincludes details about your financial transactions (e.g. payment history) and details of Services you have used on our ATMs;
  • Technical Dataincludes information about the device you are using to access our Services, such as your internet protocol (IP) address, operating system, time zone, country and language setting.;
  • Usage Dataincludes information about when and how you use our Services (i.e. logs of interactions with our system).

We may also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature.

We do not collect any special categories of personal data about you (so called sensitive data; this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data).


Information is gathered from you in a range of ways that are outlined below:

  • Direct interactions: You may give us your personal data by filling-in forms (e.g. creating account with us, providing data required to process a payment) or by corresponding with us directly or by post, phone, email, chat plugin, Website, transactions or otherwise;
  • Automated interactions: As you interact with our Services, we may automatically collect certain Technical Data, Usage Data and Transaction Data;
  • Received from other sources: We may also receive personal data about you from third parties. If you decide to register with your Google Analytics account, we may receive certain data from Google. We may also receive certain personal data from our group entities and other companies providing services to us, regulatory bodies, public sources, data aggregators who may not have a relationship with you, etc. We do not control how the third parties process your personal data, and any information request regarding the disclosure of your personal data to us should be directed to such third parties.


Our use of your personal data depends on how and where you interact with us. However, whenever we process your personal data, we do so on the basis of a lawful “justification” (or legal basis) for processing. In the majority of cases, the processing of your personal data will be justified on one of the following bases:

  • processing is necessary to perform a contract with you or take steps that you have requested in order to enter into a contract;
  • processing is necessary for us to comply with a legal obligation (e.g. anti-money laundering legislation);
  • processing is in our legitimate interests, and our interests are not overridden by your interests, fundamental rights or freedoms. Our legitimate interests may include our interest in using user’s personal data to conduct and develop our activities and in establishing, exercising or defending legal claims; or
  • processing is based on your prior explicit consent.

The purposes for which we process your personal data and legal basis

I. Fulfilment of services
To enable us to perform the services to you – to carry out our contractual obligations relating to you, to manage our relationship with you which will also include notifying you about changes to our service and changes to our terms or policies.
It is necessary for us to process your information to perform our obligations in accordance with any contract that we may have with you. We will store the data for as long as the agreement shall be in force and for additional period in which either party can make any legal claims arising out of this agreement.
II. Support services
To enable us to respond to your queries or requests in accordance with the content of such query or request.
It is necessary for us to process your information to perform our obligations in accordance with any contract that we may have with you.
It is also our legitimate interest to ensure quality information to Users and potential Users.
We will store the data for as long as the agreement shall be in force and for additional period in which either party can make any legal claims arising out of this agreement.
III. Marketing communications
To provide news and information services including e-mail briefings and newsletters.
We will only send you marketing communications where you have consented and expressed a preference to receive such marketing communications, where it is appropriate and relevant to our business relationship with you, or where we have other lawful right to do so. Until withdrawal of consent.
IV. User insight and analysis
To collect insights into how you interact with our services so that we can personalise our communications with you and maintain and improve our websites and services.
Where your personal information is not in an anonymous form, it is in our legitimate interest to use your personal information in such a way to ensure that we deliver our online services to you and our other clients effectively and to ensure quality.
Where lawfully required, we may also process your personal information in accordance with your consent to the processing.
We will store the data for as long as necessary for the purposes of the legitimate interests.

Until withdrawal of consent.
V. Compliance with legal obligations
To comply with legal and regulatory obligations to which we are a subject (e.g. anti-money laundering).
It is our legal obligation to do so. We will store the data for a period required under the applicable laws.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us at

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Profiling and automated decision making

Some of our processes can involve profiling, automated processing and automated decisions.

We may in some instances use your personal data, such as your Usage Data, in order to better address your needs. For example, if you frequently engage in a certain service, we may use this information to offer you more similar services or inform you of specific news or features that may be useful for you. We may use automated individual decision-making in order to improve your experience.

Right to withdraw consent

Where the legal basis for processing your personal information is your consent, you have the right to withdraw that consent at any time. You can exercise this right by contacting us on: by clicking on the “unsubscribe” button on our marketing emails or by choosing a similar opt-out option that we may provide for you to exercise your right to object to the processing of your personal data.


Where applicable, your personal data is collected and processed in compliance with the GDPR. We place great importance on the security of all personal data associated with our users. We have adopted security measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access. We limit access to your personal data to those employees and third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

For the best possible protection of your personal data outside the limits of our control, your computer or other device should be protected (such as by updated antivirus systems) and your internet service provider should take appropriate measures for the security of network data transmission (such as, for example, firewalls and anti-spam filtering).

While we take reasonable steps to protect your personal data, we cannot guarantee that the personal data you disclose to us will be 100% secure, nor that any data breach will not occur. You accept the inherent security implications of dealing on-line over the Internet and will not hold us or our processors responsible for any data breach unless it is due to our negligence.

We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Transferring your information outside of the European Economic Area

Your personal data is primarily stored and processed inside the European Economic Area (EEA), but may also be transferred, processed and stored on servers located in countries outside the EEA in order to carry out the activities specified in this Privacy Policy. Your personal data can therefore be subject to privacy laws that are different from those in your country of residence.

However, if we do transfer personal data collected within the EEA to third parties outside the EEA, such transfer will be based on the safeguards either of the standard contractual clauses issued by the EU Commission, the EU-US or CH-US Privacy Shield certification, Binding Corporate Rules or other acceptable legal mechanisms. In these cases, we ensure that both ourselves and our partners take adequate and appropriate technical, physical, and organizational security measures to protect your data.

Retention of your personal data

Our general approach is to retain your personal data only for as long as required to fulfil the purposes for which it was collected, or to comply with any legal, regulatory or reporting obligations or to assert or defend against legal claims. We generally retain your personal data for three (3) years from the end of our relationship or from the last contact from you, unless local law requires otherwise. However, in some circumstances we may retain personal data for longer periods of time, for instance where we are required to do so in accordance with legal, tax and accounting requirements.

In specific circumstances we may also retain your personal data for longer periods of time corresponding to the applicable statute of limitations so that we have an accurate record of your dealings with us in the event of any complaints or challenges.

In some circumstances, certain personal data can be removed on your request. Also, note that due to technical limitations, the data may not be removed instantly. Please contact us for further information:


For achieving the purposes of use set out in this Privacy Policy (see above), your data may be accessible to certain categories of persons, employed or contracted by us, that are involved with the operation of our Services, including financial institutions, lawyers, administrators, IT and system administration services provider, marketing and other services providers, on our behalf on a need-to-know basis.

We may also share your personal data with law enforcement, data protection authorities, government officials, and other authorities, including when:

  • compelled by subpoena, court order, or other valid legal procedure;
  • we believe that the disclosure is necessary to prevent physical harm or financial loss;
  • disclosure is necessary to report suspected illegal activity;
  • disclosure is necessary to investigate violations of this Privacy Policy or other legal agreements;
  • we obtain your consent or at your direction.

We may also disclose certain personal data to our current or future affiliates, subsidiaries and other related entities, as well as to our operational and business partners and sub-contractors when this is necessary for the performance and execution of any contract, we enter into with them or you. We may also share your personal data with third parties in connection with potential or actual restructuring of our company or any of our assets, or those of any associated company, in which case personal data held by us about our users may be one of the transferred assets.


Our Website may include links to third-party websites, plug-ins, channels or other applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party services and are not responsible for their privacy statements. When you use the third-party services, we encourage you to read the privacy notice of every website or application you use.


Under certain circumstances, you have the following rights in relation to your personal data under GDPR:

  • Request access to your personal data. You have the right to request that we provide you access to your personal data held by us.
  • Request correction of your personal data. You have the right to request correction of any personal data we hold on you that is inaccurate, incorrect, or out of date.
  • Request erasure of your personal data. You have the right to request deletion of your data when it is no longer necessary, or no longer subject to legal obligations to which we are subject to. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Object to processing of your personal data justified on legitimate grounds. Where we are relying upon legitimate interest to process personal data, then you have the right to object to that processing. If you object, we must stop that processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or where we need to process the data for the establishment, exercise or defence of legal claims. Where we rely upon legitimate interest as a justification for processing, we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.
  • Request restriction of processing your personal data. You have the right to request that we restrict the processing of your personal data where:
    • you contest the accuracy of the personal data until we have taken sufficient steps to correct or verify its accuracy;
    • the processing is unlawful but you do not want us to erase the data;
    • we no longer need your personal data for the purposes of the processing, but you require such data for the establishment, exercise or defence of legal claims; or
    • you have objected to processing justified on legitimate interest grounds (see above) pending verification as to whether we have overriding compelling legitimate grounds to continue processing.
    Where personal data is subject to restriction in this way, we will only process it with your consent or for the establishment, exercise or defence of legal claims.
  • Request transfer of your personal data. Under certain conditions, you have the right to receive all such personal data which you have provided to us in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible.
  • Right to withdraw consent. Where you have provided your consent to our processing of personal data, you have the right to withdraw it at any time. For example, if you wish to opt-out of receiving e-newsletters, you can use the ‘unsubscribe’ link provided in our emails or contact us directly via and we will stop sending you communications.

For further information regarding your rights, to exercise any of your rights, or if you have any complaints or questions regarding the processing of your personal data please contact us via

Please note that we may request proof of identity, and we reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive. We will endeavour to respond to your request as soon as possible and in any case within the applicable timeframes.


When you visit our Website or use our Services, we may use cookies and other tracking technologies (collectively, “Cookies”) to recognize you and to otherwise customize your online experiences and other content and advertising; measure the effectiveness of promotions; and mitigate risk, prevent potential fraud, and promote trust and safety across the Website, ATMs and related Services. Certain aspects and features of the Website, ATMs and related Services are only available through the use of Cookies, so if you choose to disable or decline Cookies, your use of the Website, ATMs and related Services may be limited or not possible.

Please review our Cookies Policy to learn more about how we use Cookies.


Protecting the safety and privacy of children is very important to us. Our Website and Services are intended for a general audience and are not directed at individuals under the age of majority. We do not knowingly collect information from anyone under the age of eighteen (18) years, or any other age limit set out by the law of his/her country of residence children, or other individuals who are not legally able to use our Services. By registering or submitting an application, you confirm that you have reached the age of majority in your country of residence. If we learn that we have inadvertently gathered personal information from such an individual, we will take legally permissible measures to remove that information from our records. If you believe that we have mistakenly or unintentionally collected information from a child, please contact us via


Occasionally we may, in our discretion, make changes to the Privacy Policy by posting a revised version and updating the ‘Effective Date’ above. The revised version will be effective on the “Effective Date” listed. Except if and when such notice is required by law, we will do so without any notice to you. Where your explicit consent will not be needed, your continued access or use of our Website and/or Services constitutes your acceptance of the latest Privacy Policy. You are thus encouraged to periodically review this page. If you disagree with the Privacy Policy and you do not wish to continue using the Website, ATMs and/or related Services under the new version of the Privacy Policy, you must stop using our Website and/or Services.


If you have any questions or concerns regarding our Privacy Policy or if you believe our Privacy Policy or applicable laws relating to the protection of your personal information have not been respected, you can file a complaint with us by using the contact details listed below and we will respond to let you know when you can expect a further response. We can request additional details from you regarding your concerns and may need to engage or consult with other parties in order to investigate and address your issue. We will keep records of your request and any resolution.

Štefančeva 1
1000 Ljubljana

You also have the right to lodge a complaint regarding the processing of your personal data by us at any time with your local data protection authority (you can find your data protection authority:

We would, however, appreciate the opportunity to deal with your concerns before you approach the authorities, so please contact us in the first instance.