Items (0)

Your cart is empty

Privacy Policy

Last updated: July 22, 2025

1. Basic Provisions

The Data Controller of personal data pursuant to Article 4(7) of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) is LAFORMELA s.r.o., Company ID: 22305581, registered office at Na Florenci 1332/23, 110 00 Prague 1, Czech Republic (hereinafter the “Controller”). The Controller has not appointed a Data Protection Officer.

Contact details of the Controller:
Address: LAFORMELA s.r.o., Na Florenci 1332/23, 110 00 Prague 1, CZ
Email: info@laformela.com
Tel: +420 737 706 028

Personal data means any information about an identified or identifiable natural person. The Controller declares that all personal data are processed in accordance with applicable laws, especially GDPR.

2. Sources and Purpose of Personal Data Processing

The Controller processes personal data that the data subject (the Buyer) provided to us, or personal data we obtained as a result of fulfilling the Buyer’s order. This includes, in particular, data entered when placing an order (such as name, address, email, phone number) and any data necessary for payment processing.

The purpose of processing these personal data is to fulfill the Buyer’s order and to exercise the rights and obligations arising from the contractual relationship between the Buyer and the Controller. This mainly includes receiving and processing orders, concluding and performing Purchase Contracts, shipping and delivering goods, and handling any complaints or inquiries from the Buyer. Providing personal data is a necessary requirement for concluding and performing the contract – without providing the required information, it is not possible to conclude the contract or fulfill it on our side .

Furthermore, the Controller processes personal data in order to comply with its legal obligations (especially accounting and tax obligations – issuing and keeping tax documents, record-keeping) and to protect its legitimate interests (such as debt recovery or legal claim defense). The Controller may process personal data for direct marketing purposes (sending promotional emails) based on legitimate interest, if permitted by law, and the Buyer has the right to opt out of such communications at any time.

The Controller will not use personal data for purposes other than those for which they were collected, except where the data subject has given consent or where permitted or required by law.

3. Data Retention Period

The Controller retains personal data only for as long as necessary to fulfill the stated purposes. Personal data processed for contract performance are stored for the duration of the contractual relationship and thereafter for the period necessary to ensure rights from defects and other potential claims (usually until the expiry of a standard 3-year limitation period after contract termination). Accounting records containing personal data must be kept for 10 years from the end of the accounting period in which they were issued, in accordance with applicable law. After the relevant periods expire, the Controller will delete or anonymize the personal data.

4. Recipients of Personal Data (Processors)

The Controller only discloses personal data to third parties when it is necessary to fulfill the contract or a legal obligation, or if the data subject has given consent. The main recipients of personal data are:

  • Delivery services: carriers providing delivery of goods to the Buyer, in particular DHL, to whom we provide the necessary identification and contact data for delivery.
  • Payment gateway provider: ComGate Payments, a.s., ID No. 27924505, registered at Karolinská 661/4, 186 00 Prague 8, which processes Buyers’ payments (we transmit data needed to execute the payment).
  • E-shop platform provider: Shopify International Ltd. (Ireland) and affiliated processors within the Shopify group, who provide the technical infrastructure for operating the E-shop.
  • Accounting, tax and legal advisors: to the extent necessary, they may have access to billing or contract information (e.g. for bookkeeping or legal representation).
  • IT service providers: entities providing hosting, cloud or other IT services related to the operation of the E-shop and related systems.
  • Marketing service providers: (if utilized) entities handling the distribution of newsletters or marketing campaigns, only if the data subject has given consent.

When selecting processors, the Controller ensures that these service providers are trustworthy and have implemented appropriate technical and organizational measures to protect personal data. The Controller has data processing agreements in place with all processors in accordance with Article 28 GDPR.

The Controller does not intend to transfer personal data to any third country (non-EU country) or international organization, except as necessary due to the use of services of the above-mentioned providers. Some of these providers (e.g. Shopify) may process personal data on servers outside the EU (for example, in Canada or the USA). In such cases, the Controller will ensure that the transfer of personal data is carried out in compliance with Chapter V of the GDPR, i.e. under appropriate safeguards (such as standard contractual clauses) to guarantee an adequate level of protection for the personal data .

5. Rights of Data Subjects

Under the GDPR, you have the following rights as a data subject:

  • Right of access to your personal data under Article 15 GDPR (the right to obtain confirmation whether we process your personal data, and if so, to access those data and information about their processing),
  • Right to rectification of inaccurate personal data or completion of incomplete data under Article 16 GDPR,
  • Right to erasure (“right to be forgotten”) of your personal data under Article 17 GDPR, if the conditions are met (e.g. the data are no longer necessary for the purposes for which they were collected),
  • Right to restriction of processing under Article 18 GDPR,
  • Right to data portability under Article 20 GDPR (the right to obtain your personal data in a structured, commonly used, machine-readable format and transmit them to another controller),
  • Right to object to processing of your personal data under Article 21 GDPR (especially if data are processed for direct marketing purposes),
  • Right to withdraw consent at any time, if processing is based on your consent (withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal).

You also have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR. In the Czech Republic, the supervisory authority is the Office for Personal Data Protection (ÚOOÚ) , Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, web: www.uoou.cz. If you exercise any of your rights, the Controller will inform you of the action taken on your request within 1 month of receiving it (this period may be extended by an additional 2 months if necessary).

6. Personal Data Security

The Controller declares that it has implemented all appropriate technical and organizational measures to secure and keep personal data confidential . Data repositories and systems containing personal data are protected by modern security tools (encryption, passwords, antivirus software, firewalls, etc.). Access to personal data is limited to authorized personnel of the Controller who are bound by confidentiality. The Controller regularly updates security measures to minimize the risk of unauthorized access or data breaches.

7. Final Provisions

By submitting an order via the E-shop’s online form, the Buyer confirms that they have read this Privacy Policy and accept it in its entirety . The Controller reserves the right to amend this Privacy Policy at any time. The updated version will be published on the Controller’s website and, if necessary, may also be sent to the Buyer’s email address (if provided) .

This Privacy Policy is effective from July 22, 2025.