Pending legal review — this is a working draft prepared by the development team. It must be reviewed and approved by legal counsel before launch; the final wording will replace this paragraph directly in the admin.
This website is operated by the company recorded in Site Settings → Company (legal / GDPR). That group contains the controller's legal name, registered seat, IČO, DIČ where applicable, and the entry in the commercial register; those values are displayed inline in the admin and on the live page. Any correspondence about your personal data should be addressed to the DPO email shown at the bottom of this page.
We collect only what we need to run the shop, deliver your order, and communicate with you.
Orders: your name, email, phone and delivery address. Stored to fulfil the contract and to satisfy Czech accounting law.
Newsletter: your email address and your locale, plus the date you confirmed your subscription. Collected only if you opt in.
Analytics: aggregate pageviews and a small set of UI events. We never store your IP address or use cookies for analytics. Visitors are identified by a daily-rotating salted hash that becomes unlinkable after 24 hours.
Order data: contract performance — GDPR Art. 6(1)(b). Newsletter: your consent — GDPR Art. 6(1)(a). You may withdraw consent at any time using the unsubscribe link in every email. Analytics: our legitimate interest in understanding site usage — GDPR Art. 6(1)(f). The data is pseudonymised at collection. Accounting: legal obligation — GDPR Art. 6(1)(c) read with §31 zákona o účetnictví.
Orders: 10 years from the end of the accounting period, as required by Czech accounting law. Your personal fields (name, email, phone, address) are anonymised on request after the order has been fulfilled; the invoice line items, totals and order number are retained.
Newsletter subscribers: until you unsubscribe. Pending (unconfirmed) signups are deleted after 30 days.
Analytics: pageviews and events are retained for 12 months and then deleted.
Campaign send logs: 12 months from the send date.
We rely on a small number of trusted providers to operate the site:
Stripe Payments Europe, Ltd (Ireland) — processes card payments. Stripe receives the information needed to take payment; the rest of your data never leaves our systems.
ZeptoMail / Zoho Corporation B.V. (EU region) — delivers transactional and newsletter email on our behalf.
Our hosting provider — runs the website servers and database.
We do not set tracking or analytics cookies. The only first-party cookies are those Payload needs to keep an admin user signed in to /admin. Stripe's hosted checkout page sets its own cookies, governed by Stripe's notice on that page.
Under GDPR you have the right to access, rectify, erase, restrict, port and object to the processing of your personal data. You can also lodge a complaint with the Czech supervisory authority, the Úřad pro ochranu osobních údajů (uoou.gov.cz).
To exercise any of these rights, write to the data-protection contact email shown below. We will respond within 30 days as required by GDPR Art. 12(3).
For any privacy or data-protection question, email the address shown under Site Settings → Company (DPO email). If no DPO email is configured, the general contact email applies.