General terms and conditions

General information about The Brush Stash d.o.o.:

  • Company name: The Brush Stash d.o.o.
  • Company address: Ulica Vjenceslava Novaka 9, 10000 Zagreb
  • OIB (national identification number): 22766106537
  • Registered at: Trgovački sud Zagrebu, Tt-19/16077-2
  • Company owner: Petra Baketa
  • Business account at: Privredna Banka Zagreb d.d., IBAN: HR0523400091111012531
  • Contact e-mail:

About retailer:

  • The Brush Stash d.o.o.
  • Ulica Vjenceslava Novaka 9, 10000 Zagreb (webshop)
  • OIB: 22766106537
  • MBS: 081238758

  • The Brush Stash makeup studio & brush store
  • Ulica Kneza Domagoja 25, 10000 Zagreb

PRIVACY POLICY AND GENERAL CONDITIONS of the company The Brush Stash d.o.o.

Any use of and other websites owned by the company The Brush Stash d.o.o. is subject to the following conditions of use. The entire content, documents and information on the website (and/or other websites owned by The Brush Stash d.o.o.) may not be copied, except for personal use and other non-commercial purposes, while adhering to copyright and other intellectual property rights including all other legal limitations. Any copying, reproduction or distribution of documents, information and content from this website is permitted only upon approval from the company The Brush Stash d.o.o.

The website may be used for private purposes without any additionally incurred fees for use, while adhering to the conditions and rules of use. Using of the online shop means that you will adhere to the stated rules and conditions.


Registration is not necessary to be able to make purchases through webshop. When making purchases, if you don’t want to be entering a delivery address or information on the manner of payment each time, we recommend that you register. All you need to do is enter a valid email address, personal information (name, surname, address, postal address, place, telephone number) and a freely selected password which will enable you to access your user account.

By clicking the button login/registration ---> “Register here”, an input field will appear into which you can enter your email address and to which an activation link for your user account will be sent. You may also register after filling out the information during your first order, when our system will offer you the opportunity to automatically register so that you won’t be required to enter once again your information for deliveries.

In the event that you forget your password, on the same page you can selected “Forgotten you password?”. Here you can enter your email address which you used to register, and the system will automatically send you a link for resetting your password. You can also do this later by editing your account settings.


The webshop is always open for ordering and there are no business hours for making online orders. The goods are ordered using an electronic form, and orders are processed during workdays, from 10 am – 4 pm. The buyer is required to complete the given form using basic information for payment and delivery of the desired products and will be informed by email of the completed orders.

Under the product you wish to purchase, you can click “Add to Cart”. After you have chosen the desired articles, click on the cart and it will show you an overview of your selected products. In addition, you can also change quantities in the cart or change your mind and remove a certain product. Then, select “Payment”. On the next page, you can fill out your information for delivery. When you fill the information for the delivery, select the checkbox to provide consent to conditions of use for the website, and then you’re ready for the next step – click the button “Continue to Payment”. On the next page, select the manner of payment (card payment or payment upon delivery). If you choose payment upon delivery, you will have to leave a contact number where we can contact you in order to verify the order. After that, click “Confirm Order”. If you chose payment upon delivery, your order is therefore completed, and you will receive via your email address confirmation of the order. If you chose card payment, you’ll have to enter your card detail in the next step and after that click “Pay”. If your transaction is successful, the order will be successfully executed, and you’ll also get a confirmation of the order via your email address.

The Brush Stash d.o.o. is obliged to deliver all ordered products which at the time of delivery are in stock. In the event that The Brush Stash d.o.o. is not able to deliver any ordered product, the company will contact the buyer by telephone or email immediately. All other ordered products will be delivered.


The content of webshop is protected and The Brush Stash d.o.o. has the sole right to use it. Any commercial use of the content on website requires prior contact via the email address

Notices in terms of Article 57 of the Consumer Protection Act:

The retailer is the company The Brush Stash d.o.o. from Zagreb, Ulica Vjenceslava Novaka 9, OIB: 22766106537,, Tel: 095 3977 634.

Information on retail prices of goods is shown beside each product, and information on costs of transport, delivery or postal services, i.e., the fact that these costs may be charged, if they cannot be reasonable calculated in advance is found in the described section “Payment and Delivery”. Notices relating to conditions of payment, conditions of delivery of goods and deadline for delivery of goods is found in the Section “Payment and Delivery”.

Notices on the manner of registering complaints and resolving consumer complaints by the retailer is found in the section “Refunds and Complaints”.

The section “Refunds and Complaints” provides notices and additional explanations relating to: 
- information on conditions, deadlines and procedures for exercising rights to unilateral termination of contracts as well as forms for unilateral termination of contacts in accordance with Paragraph 1, Article 74 of the Consumer Protection Act.

- information on the fact that the buyer is obliged to bear the costs of returning goods in the event of exercising his or her right to unilaterally terminate the contact referred to in Article 72 of the Consumer Protection Act, i.e., the costs of returning the goods, in the event of distance contracts, the goods due to their nature cannot be returned by post in the normal way.

- information as to whether, in the event of exercising the right to unilateral termination of the contract referred to in Article 72 of the Consumer Protection Act, after submitting a request in accordance with Article 64 or Article 70 of the Consumer Protection Act, the buyer is obliged to pay the retailer a reasonable part of the price in accordance with Paragraph 7, Article 77 of the Consumer Protection Act

- information as to whether the buyer may exercise his or her right to unilaterally terminate the contract referred to in Article 72 of the Consumer Protection Act in cases in which, based on Article 79 of the Consumer Protection Act, this right is excluded, and concerning the presumptions under which the consumer loses the right to unilaterally terminating the contract.

The retailer is responsible for material insufficiencies of the goods in accordance with valid regulations. Mechanisms for extrajudicially resolving disputes is as follows: In the event of a dispute between the consumer and retailer, a request may be lodged to the Court of Honour before the Croatian Economic Chamber, Court of the Honour before the Croatian Chamber of Trades and Crafts or a proposal for reconciliation before the centres for reconciliation. The procedure before the courts of honour is conducted in accordance with the Ordinance on the Court of Honour before the Croatian Chamber of Economy and the Ordinance of the Court of Honour before the Croatian Chamber of Trades and Crafts which stipulates that members of the council of these courts, besides independent legal experts and representatives of the retailers, my include consumer representatives. Reconciliation before the centres for reconciliation is conducted in accordance with the Reconciliation Act, and also the Ordinance on Reconciliation Centres for Reconciliation.


The company The Brush Stash d.o.o. from Zagreb (hereinafter: The Brush Stash) is the controller for personal data and in terms of which it determines the intention and means of processing personal data for the requirements of its business operations and legal activities, and in accordance with the General Data Protection Regulation (GDPR). The Brush Stash places special attention on the making sure that personal data is processed in line with the basic principles in Chapter 2 of the General Data Protection Regulation and ensures legal processing of personal data applicable, relevant and maximally limited to what is essential and with respect to the purpose for which the data is processed.

The Brush Stash, as a rule, does not process personal data of persons younger than 18 years of age. In exceptional circumstances, and in accordance with the provisions of Article 8 of the General Data Protection Regulation, data of persons completing 16 years of age may be processed, whereas for all other cases (persons younger than 16 years of age), the express consent from the legal custodian of the child is necessary and which must be determined in a clear and unambiguous manner in accordance with the provisions of Paragraph 2, Article 2 of the General Data Protection Regulation.

The Brush Stash does not process private data which reveals racial or ethnic origins, religious attitudes nor political or other beliefs, genetic or medical data for the purpose of uniquely identifying an individual nor data on the sex life or sexual orientation of an individual.


The Brush Stash implements appropriate technical and organisational measures for enabling effective application of data protection principles, such as maximally reducing the amount of data and including protective measures during processing which ensures that only personal data essential for a particular processing purpose is processed. This is also evident in that special attention is given to issues concerning the quantity of collected personal data, scope of processing such data, the period of archiving and accessibility of such data. When taking into consideration the latest achievements, implementation costs as well as the nature, scope, contact and purpose of the processing, including the risk of various levels of probability and seriousness for the rights and freedoms of individuals, The Brush Stash implements appropriate technical and organisational measures in order the ensure the appropriate level of security with respect to risks. This is primarily achieved through continual tracking of archived personal data, processing only in the most necessary scope and keeping personal data only as long as necessary in order to achieve the purpose of processing.


At the moment when The Brush Stash, in any way, wants to collect personal data, the data subject to whom the data refers to is informed of the matter in advance and is informed of all the details and their rights which are described in detail below.

  • Transparency
  • The controller undertakes appropriate measures in order for the data subject to be provide with all the necessary and prescribed information, and enable the communicating of all the person’s rights in relation to the processing of personal data in a brief, transparent, understandable and easily accessible form, along with the use of clear and simple language.

  • Right of access to data
  • The data subject has to right to receive from the controller confirmation as to whether the personal data relating to the data subject are processed and if such personal data is processed, access to the personal data and the following information: purpose of processing, relevant categories of personal data, receivers or categories of receivers to whom the personal data is revealed or will be revealed, especially receivers in third countries or international organisations and if that is possible, the expected period in which the personal data will be stored or, if that is not possible, criteria used for determining that period, the existence of rights based upon which the controller is requested to correct or delete personal data or limit the processing of personal data relating to the data subject or the right to object to such processing, the right to lodge a complaint with a supervisory authority, if the personal data is not collected from the data subject, any accessible information as to its source, the existence of automated decision making, which includes producing profiles and in such cases using relevant information as to what logic is applied, as well as the importance and anticipated consequences of such processing for data subjects. If the personal data is transferred to a third country or international organisation, the data subject has the right to be informed of appropriate protective measures. The controller ensures the existence of copies of personal data which is processed. For all additional copies sought by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject lodges a request electronically, and except if the data subjects seeks differently, information is provided in the normal electronic form.

  • Right to rectification
  • The data subject has the right, without unnecessary delay, to obtain from the controller the rectification of inaccurate or changed personal data relating to the data subject. When taking into account the purpose of processing, the data subject has the right to supplement incomplete personal data, as well as providing an additional statement.

  • Right to be forgotten
  • The data subject has the right to obtain from the controller the erasure of personal data relating to the data subject without unnecessary delay, and the controller is obliged to erase the personal data without unnecessary delay if the personal data is no longer essential for the purpose for which it was collected or processed in any other manner. The data subject withdraws his or her consent upon which the processing is based, and there is no other legal basis for conducting the processing, the data subject lodges a complaint as to the processing in that regard, if the personal data is illegally processed, if the personal data must be deleted in order to adhere to legal obligations from EU law or the laws of a member state to whom the controller is subject, the personal data is collected in relation to an offer of services provided by an information company directly to a child. If the controller has publicly disclosed personal data, but is obliged to erase the data, while taking into account available technologies and implementation costs, the controller undertakes reasonable measures, including technical measures, in order to inform the controllers processing personal data that the data subject has requested from the controllers that they erase all links to such information or copies or reconstruction of such personal data.

  • Right to restriction of processing
  • The data subject has the right to obtain from the controller a limitation to processing if the data subject disputes the accuracy of the personal data, for the period for which the controller is given for verification of the accuracy of the personal data, if the processing is illegal and the data subject objects to the erasure of the personal data, and instead of that, seeks limits to the use of such data, if the controller no longer requires the personal data for processing requirements, but the data subjects seeks the data in order to establish, achieve or defend legal requirements, if the data subject has lodged a complaint against processing and anticipates a confirmation as to whether the controller’s legitimate reasons surpass the data subject’s reasons. If the processing is limited, such personal data may be processed only along with the data subject’s consent, with the exception of archiving, or for establishing, achieving or defending the legal requirements or protection of the rights of other physical or legal persons, or due to important public interest of the EU or a member states. The data subject who has obtained limitations to processing, is to be informed by the controller prior terminating limitations to processing.

  • Right of data portability
  • The data subject is entitled to receive personal data relating to him or her, and which he or she has provided to the controller in a structured, standard usable and machine readable format, and the right to transfer the data to another controller without obstruction from the controller to whom the personal data has been provided, if the processing is based on consent or an agreement or if the processing is performed in an automated manner. The data subject has the right to a direct transferal from one controller to another, if it is technically feasible.

  • Right to object
  • The data subject is entitled at any time to lodge a complaint against the processing of his or her personal data. The controller may no longer process personal data unless the controller shows evidence of the existence of convincing legitimate reasons for such processing which surpass the interests, rights and freedom of data subjects or due to the establishment, achievement or defence of legal requirements. If personal data is processed for the needs of direct marketing, the data subject may at any time lodge an objection to the processing of his or her personal data for the requirements of such marketing, which includes producing a profile to the extent it relates to such direct marketing. If the data subject objects to the processing for the needs of direct marketing, the personal data may no longer be processed for such purposes. No later than at the moment of establishing first communication with the data subject, the data subject must be informed of his or her ability to lodge a complaint and this must be done in a clear manner and separately from any other information.

  • Right to object to profiling
  • The data subject is entitled to having a decision based solely on automated processing not relate to the him or her, including the devising of profiles, which in turn leads to legal consequences relating to him or her or in a similar manner significantly affecting him or her. This situation does not relate to instances when a decision is necessary for concluding or implementing a contract between the data subject and controller, as permitted by EU law and law of member states, to which the controller is subject and which also stipulate appropriate measures for protection of rights and freedoms as well as legitimate interests of the data subject or based on the data subject’s explicit consent. The controller implements the appropriate protective measures for the rights and freedom, as well as legitimate interests of the data subject, the right to human intervention by the controller, right to expressing personal views and the right to contesting decisions.


    When making payments on the webshop, CorvusPay is used, which is an advanced system for secure reception of payment cards via the Internet. CorvusPay provides complete secrecy of card details even from the moment of entering the details onto the CorvusPay payment form. Payment details are forwarded encrypted from the user’s web browser to the bank which issued the card. The Brush Stash webshop never comes into contact with all the data on the user’s payment card. Also, the data is even inaccessible to Corvuspay system personnel. The isolated core independently transmits and manages the sensitive data, while maintaining them completely secure. The form for entering payment details is securing using the SSL cryptographic protocol providing maximum reliability. All stored data is additionally protected through encryption, using a cryptographic device certified according to the FIPS 140-2 Level 3 standard. CorvusPay meets all requirements relating to security for online payments as stipulated by leading payment card brands and operates in compliance with standard PCI DSS Level 1 – the highest security standard in the payment card industry. When making payments using payment cards incorporated into 3-D Secure, the user’s bank program (in addition to the validity of the actual payment card) additionally checks the identity of the user using a token or password. Corvus info d.o.o. considers all collected information to be a banking secrecy and treats them as such. Information is used solely for the purpose for which they are intended. Personal data is completely secure, and their privacy is guaranteed using the most modern security mechanisms. Only data essential for performing operations in line with stipulated and required online payment procedures are collected. Security protocols and operational procedures applied to The Brush Stash infrastructure ensure the current reliability of the Corvus system. In addition, maintaining strict access control, regular tracking of security and thorough auditing to prevent vulnerabilities in the network as well as planned implementation of provisions on IT security, continually maintain and improve the level of security for the system by protecting user payment card details. Having said all of this, The Brush Stash uses encrypted links with websites and encrypted communication with mail servers.