Data Protection & Processing Terms (Privacy Policy)

1. DATA SUBJECTS, PURPOSES, SCOPE, DURATION, AND LEGAL BASIS OF PROCESSING

A. CUSTOMERS - INDIVIDUALS

The Controller processes personal data of individual customers for the purpose, to the extent, on the legal basis, and for the following duration:

• Purpose: Providing services to customers in accordance with the purchase agreement (conclusion of the purchase agreement, delivery of goods, and handling of complaints).

  Scope of data: Name, surname, email address, phone number, delivery address, date of birth, if applicable, billing address, if applicable, Business ID, and registered office.

  Legal basis: Necessity of processing personal data for the performance of the contract.

  Duration: For the time necessary to fulfill the contract and during the statute of limitations.

• Purpose: Managing customer accounts.

  Scope of data: Name, surname, email address, phone number, delivery address, date of birth, if applicable, billing address, if applicable, Business ID, and registered office.

  Legal basis: Consent.

  Duration: From registration until the customer deletes the account or the Controller deletes the account due to customer inactivity (no logins to the customer account for at least 5 years).

• Purpose: Accounting and tax purposes and compliance with archiving obligations.

  Scope of data: Name, surname, address.

  Legal basis: Necessity of processing for compliance with legal obligations imposed on the Controller by law.

  Duration: For the time necessary, up to 10 years, unless legal regulations stipulate longer periods.

• Purpose: Sending commercial communications for marketing and advertising purposes.

  Scope of data: Name, surname, and email address.

  Legal basis: Consent.

  Duration: For a period that is reasonably necessary, up to the revocation of consent.

• Purpose: Sending unsolicited commercial communications.

  Scope of data: Name, surname, and email address.

  Legal basis: Legitimate interest (direct marketing).

  Duration: For a period that is reasonably necessary.

B. CONTACT PERSONS OF CUSTOMERS - LEGAL ENTITIES

The Controller processes personal data of contact persons of legal entity customers for the purpose, to the extent, on the legal basis, and for the following duration:

• Purpose: Providing services to customers in accordance with the purchase agreement (conclusion of the purchase agreement, delivery of goods, and handling of complaints).

  Scope of data: Name, surname, email address, phone number, date of birth.

  Legal basis: Necessity of processing personal data for the performance of the contract.

  Duration: For the time necessary to fulfill the contract and during the statute of limitations.

• Purpose: Managing customer accounts.

  Scope of data: Name, surname, email address, phone number, date of birth.

  Legal basis: Consent.

  Duration: From registration until the customer deletes the account or the Controller deletes the account due to customer inactivity (no logins to the customer account for at least 5 years).

• Purpose: Sending commercial communications for marketing and advertising purposes.

  Scope of data: Name, surname, and email address.

  Legal basis: Consent.

  Duration: For a period that is reasonably necessary, up to the revocation of consent.

• Purpose: Sending unsolicited commercial communications.

  Scope of data: Name, surname, and email address.

  Legal basis: Legitimate interest (direct marketing).

  Duration: For a period that is reasonably necessary.

C. PLATFORM VISITORS

The Controller processes cookies concerning platform visitors. More information about cookie processing on the Platform can be found here.

D. PERSON CONTACTING THE CONTROLLER

The Controller processes personal data of individuals who contact the Controller by email or phone for the purpose, to the extent, on the legal basis, and for the following duration:

• Purpose: Responding to inquiries from contacting individuals.

  Scope of data: Name, surname, email address, phone number.

  Legal basis: Legitimate interest in providing a response.

  Duration: As necessary to respond to the inquiry.

a) Right of access to personal data:

Data subjects have the right to obtain from the controller confirmation as to whether their personal data is being processed. If so, they have the right to access this personal data and the following information:

1. Purposes of the processing of personal data;
2. Categories of personal data concerned;
3. Recipients or categories of recipients to whom the personal data has been or will be disclosed;
4. The envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing and to object to such processing;
6. The right to lodge a complaint with a supervisory authority;
7. All available information about the source of personal data if not obtained from the data subject.

Data subjects also have the right to request a copy of the processed personal data from the controller, provided that the rights and freedoms of others are not adversely affected. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject makes the request electronically, the information will be provided in an electronic form commonly used unless the data subject requests another method.

b) Right to rectification:

Data subjects have the right to have inaccurate personal data concerning them rectified without undue delay. Taking into account the purposes of the processing, data subjects also have the right to complete incomplete personal data by providing a supplementary statement.

c) Right to erasure ("right to be forgotten"):

Data subjects have the right to request the erasure of their personal data without undue delay, and the controller has the obligation to erase personal data without undue delay if one of the following reasons applies:

1. The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
2. The data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
3. The data subject objects to the processing, and there are no overriding legitimate grounds for the processing.
4. The personal data has been unlawfully processed;
5. The personal data must be erased for compliance with a legal obligation under the law of the European Union or the Czech Republic;
6. The personal data has been collected in relation to the offer of information society services based on the consent of a child.

d) Right to restriction of processing:

Data subjects have the right to obtain from the controller the restriction of processing in any of the following cases:

1. The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
2. The processing is unlawful, and the data subject opposes the erasure of the personal data and requests instead the restriction of their use;
3. The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims.

e) Right to data portability:

Data subjects have the right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used, and machine-readable format and have the right to transmit this data to another controller without hindrance from the controller if:

1. The processing is based on consent or on a contract and
2. The processing is carried out by automated means.

When exercising the right to data portability, data subjects have the right to have personal data transmitted directly from one controller to another, where technically feasible. The right to data portability must not adversely affect the rights and freedoms of others.

f) Right to object:

Data subjects have the right to object to the processing of personal data. If a data subject raises a justified objection to the processing for the purposes of direct marketing or profiling, the personal data will no longer be processed for these purposes. The objection will be evaluated, and the controller will subsequently inform the data subject whether the objection has been upheld, and the controller will no longer process the data, or if the objection was not justified, the processing will continue. During the resolution of the objection, processing will be restricted.

g) Right not to be subject to automated decision-making, including profiling:

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This right does not apply if the automated decision-making is necessary for the conclusion or performance of a contract between the data subject and the controller or is based on the explicit consent of the data subject; however, in such cases, the data subject has the right to human intervention on the part of the controller, to express his or her point of view, and to contest the decision.

h) Right to lodge a complaint with a supervisory authority:

Data subjects have the right to lodge a complaint with the supervisory authority regarding the processing of their personal data by the controller. The supervisory authority for the Czech Republic is the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7.