PRIVACY POLICY (GDPR)

INTRODUCTORY INFORMATION, PERSONAL DATA CONTROLLER 

    1. This Information on Personal Data Processing contains important information regarding the protection of personal data of customers, potential customers and other visitors to the websites www.hanavolfova.com, www.hanavolfova.cz, www.healandglow.cz, www.hanavolfova.podia.com (hereinafter referred to as the „Website„).
    2. The purpose of this document is to inform the above-mentioned persons (hereinafter also referred to as „Data Subjects“) about the manner in which their personal data is processed and their related rights and obligations.
    3. The personal data controllers are:
      Heal&Glow s.r.o., ID No.: 106 02 339, with its registered office at Korunní 2569/108g, Vinohrady, 101 00 Prague 10, the Czech Republic, registered in the Commercial Register maintained by the Municipal Court in Prague under file number C 346737, e-mail: info@hanavolfova.com, and also Hana Volfová, ID No.: 03926508, with its registered office at Korunní 2569/108g, Vinohrady, 101 00 Prague 10, the Czech Republic, operating as a sole trader, (hereinafter collectively referred to as the „Data Controller“).
    4. The contact details of the Data Controller for enquiries regarding personal data, filing complaints, objections or exercising the rights of Data Subjects are as follows:
      1. e-mail: info@hanavolfova.cz
      2. postal address: Korunní 2569/108g, Vinohrady, 101 00 Prague 10, the Czech Republic
    5. The Data Controller is obliged to process personal data in accordance with applicable legal regulations, in particular Act of the Czech Republic No. 110/2019 Coll., on the Processing of Personal Data, as amended, and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of such Data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter also referred to as „GDPR“).
    6. The Data Controller hereby informs Data Subjects that these personal data protection rules may be supplemented, amended or otherwise updated on a regular basis without prior notice. The current version of this document will always be published on the Website. However, the personal data of Data Subjects will always be handled in accordance with the personal data protection rules that were in force at the time of their collection.
    7. These personal data protection rules do not apply to the personal data of legal entities, including the name, legal form and contact details of the legal entity.
  2. SCOPE OF PROCESSED PERSONAL DATA
    1. The Data Controller is authorised to process the following personal data of Data Subjects in particular:
    2. 1.name, surname, title, gender, date of birth, age, permanent address or registered office, delivery address, ID number, VAT number, telephone number, e-mail address, other contact address, payment details, any other personal data obtained from mutual communication, 2. IP address and information obtained through cookies (for more details, see the separate Cookie Policy),
    3. information about the ordered product (digital content and services),profile photo, photos and video recordings from offline events, references and reviews written by Data Subjects. 
    4. The Data Controller does not process any sensitive data (i.e. special categories of personal data), such as data revealing nationality, racial or ethnic origin, health, sexual orientation, political opinions, trade union membership, religion and philosophical beliefs, criminal convictions, etc. 
  3. BASIS AND PURPOSE OF PERSONAL DATA PROCESSING 

Processing of personal data for the purpose of concluding a contract and fulfilling contractual obligations 

  1. For the purpose of concluding and performing a contract, the Data Controller processes the personal data of Data Subjects necessary for the conclusion of the contract and delivery of the ordered product, usually to the following extent: name and surname, permanent address or registered office, delivery address, e-mail, telephone number, and, where applicable, company ID number and VAT number. 
  2. The legal basis for the processing of this data is the fulfilment of contractual obligations under the contract concluded between the Data Controller as the provider and the Data Subject as the customer. Such an obligation may be the delivery of digital content or the provision of a service depending on the type of product ordered.
  3. For this purpose, the Data Controller processes personal data for the duration of the contractual relationship. Processing of personal data for the fulfilment of obligations under accounting, tax and other legal regulations 
  4. The Data Controller is obliged to process certain personal data of customers (Data Subjects) for the purposes of fulfilling its obligations under applicable legal regulations, in particular in the areas of accounting, tax law and archiving. In such cases, personal data is processed for the period specified by the relevant legal regulations. 
  5. In this context, the Data Controller processes the following data in particular: personal data within the scope of the relevant contract (see processing of personal data for the purpose of concluding a contract and fulfilling contractual obligations), as well as the payment details of Data Subjects and any other personal data obtained from mutual communication, information about ordered products (digital content or services). 

Processing of personal data for the purposes of the legitimate interests of the Data Controller or a third party 

  1. The Data Controller is also entitled to process the personal data of Data Subjects for the purpose of protecting its rights, in particular for defence against any claims by Data Subjects or third parties, in the event of an inspection by a supervisory authority and for the possible enforcement of claims by the Data Controller, in particular on the basis of concluded contracts or damage caused. For these purposes, personal data will be processed in particular within the scope of the relevant contract (see processing of personal data for the purpose of concluding a contract and fulfilling contractual obligations), as well as any other personal data obtained from mutual communication, information about ordered products (digital content or services) and, where applicable, data about the Data Subject’s IP address. 
  2. For the reason stated in the previous section, the Data Controller is entitled to process the personal data of Data Subjects for the entire duration of the contractual relationship and for a period of 4 years after the expiry of the contract or, if no contract has been concluded, from the last contact with the Data Subject. This period corresponds to the general 3-year limitation period extended by 1 year to allow for the time necessary for the Data Controller or Data Subject to become aware of any claim brought before a court. In the event of the commencement and duration of judicial, administrative or other proceedings in which the rights or obligations of the Data Controller in relation to the relevant Data Subject are being resolved, the period of personal data processing for this purpose shall not end before the end of such proceedings. 
  3. The Data Controller is also entitled, on the basis of its legitimate interest, to process the personal data of Data Subjects for direct marketing purposes, to the extent of: name, surname, address and e-mail. The Data Controller is entitled to process this personal data and send commercial communications to Data Subjects for a maximum period of 3 years from the end of the obligation under the concluded contract or from other recent communication with the Data

Subject. At the same time, the Data Subject may always terminate the sending of commercial communications by clicking on the link provided in the relevant e-mail containing the marketing communication. 

Processing of personal data based on the consent of the Data Subject 

  1. Based on the Data Subject’s explicit consent to the processing of personal data, the Data Controller may also process other personal data of Data Subjects, e.g. for other marketing purposes of the Data Controller (so-called advanced marketing), consisting, for example, in sending news on the website, current offers of products and services, including organised events, including any offers from the Data Controller’s business partners, etc. 
  2. With the consent of Data Subjects, their personal data resulting from references and reviews provided by them, as well as their photographs or video recordings, may also be processed, in particular for the Data Controller’s marketing purposes. 
  3. The Data Controller is entitled to process this personal data for a maximum of 3 years from the date of consent to its processing, unless consent to its processing is renewed in the meantime. The Data Subject may revoke their consent to the processing of personal data at any time in the manner specified below. However, if the personal data of the Data Subject is also processed on the basis of another legal title (see above), the Data Controller will continue to process the personal data for these purposes even after the consent has been revoked, as consent is not necessary for such processing.
  4. SECURITY AND PROTECTION OF PERSONAL DATA 
    1. In order to comply with security principles in the management and processing of Data Subjects‘ personal data, the Data Controller has adopted appropriate technical, security and organisational measures to ensure the protection of such data in line with the state of the art. These measures are designed to prevent unauthorised or accidental access to personal data, its alteration, destruction or loss, unauthorised transfers, unauthorised processing and other misuse of personal data. The personal data of Data Subjects are always protected in the same way as the Data Controller’s data. 
    2. The Data Controller ensures that all entities to whom personal data may be disclosed respect the Data Subjects‘ right to privacy and are obliged to comply with the applicable legal regulations concerning personal data protection and the instructions set out in this document. 
  5. TRANSFER OF PERSONAL DATA 
    1. The Data Controller is entitled to transfer the personal data of Data Subjects to the extent necessary for the fulfilment of its contractual or legal obligations to third parties, in particular to data storage and software application providers, the relevant administrative authorities, if the Data Controller is obliged to transfer the personal data of Data Subjects to them (e.g. in the case of an inspection during which the authority is entitled to request the submission of personal data, etc.), and to companies providing the Data Controller with services in the areas of marketing, accounting, legal services, IT services, web and mobile application development services, payment gateway service providers, etc. 
  1. INFORMATION ON THE RIGHTS OF DATA SUBJECTS 

Communication and procedures for exercising the rights of Data Subjects 

  1. The Data Subject is entitled to exercise their rights under this Article 6 by e-mail or written request to the Data Controller’s address above. The Data Subject may also use this method to submit other questions or requests to the Data Controller regarding the protection of personal data or to withdraw their previously given consent to the processing of personal data. 
  2. The Data Subject has the right to receive information from the Data Controller about the measures taken, without undue delay and in any case within 1 month of receiving the request. This period may be extended by a further 2 months if necessary, taking into account the complexity and number of requests. The Data Controller shall inform the Data Subject of any such extension within 1 month of receiving the request, together with the reasons for the delay. If the Data Subject has submitted the request in electronic form, the information shall be provided in electronic form, if possible and unless otherwise requested. 
  3. If the Data Controller does not take the measures requested by the Data Subject, it shall inform the Data Subject without delay, and at the latest within 1 month of receipt of the request, of the reasons for not taking the measures and of the possibility of lodging a complaint with the supervisory authority and seeking judicial protection. 
  4. If the Data Controller has reasonable doubts about the identity of the natural person making the request, it may request additional information necessary to confirm the identity of the Data Subject. 

Right of access to personal data 

  1. The Data Subject has the right to obtain confirmation from the Data Controller as to whether or not personal data concerning him or her are being processed and, if so, has the right to access such personal data and information regarding their processing. 

Right to rectification 

  1. The Data Subject has the right to have the Data Controller rectify inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, he or she also has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure („Right to be forgotten“) 

  1. The Data Subject has the right to have the Data Controller erase personal data concerning him or her without undue delay, and the Data Controller has the obligation to erase personal data without undue delay in cases specified by law, including the GDPR, specifically in the following cases: 
  2. the personal data is no longer necessary for the purposes for which they were collected or otherwise processed; 
  3. the Data Subject withdraws the consent on the basis of which the data was processed and there is no other legal basis for the processing; 
  4. the Data Subject objects to the processing (in accordance with the „right to object“ below) and there are no overriding legitimate grounds for the processing; 4. the personal data has been processed unlawfully. 

Right to restriction of processing 

  1. The Data Subject has the right to have the Data Controller restrict processing in any of the following cases, unless otherwise provided by the GDPR: 
  2. if the Data Subject contests the accuracy of the personal data, for a period enabling the Data Controller to verify the accuracy of the personal data; 
  3. processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead; 
  4. the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the 

establishment, exercise or defence of legal claims; 

  1. if the Data Subject has objected to processing, pending verification of whether the legitimate grounds of the Data Controller override those of the Data Subject. 

Right to data portability 

  1. The Data Subject has the right to obtain the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller. 

Right to object 

  1. For reasons relating to his or her particular situation, the Data Subject has the right to object at any time to the processing of personal data concerning him or her, where such data is processed for the purposes of the legitimate interests of the Data Controller or a third party.

Unless the legitimate interests of the Data Controller or a third party override the interests of the Data Subject, the Data Controller will not process the personal data to the extent of the objection. 

  1. If the Data Subject objects to processing for direct marketing purposes, personal data will no longer be processed for these purposes. 

Right to lodge a complaint with the Office for Personal Data Protection 

  1. If the Data Subject considers that the processing of their personal data violates legal regulations, including the GDPR, they are entitled to lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, +420 234 665 111, www.uoou.cz. 

Automated individual decision-making, including profiling 

  1. The Data Subject has the right not to be subject to any decision based solely on automated processing, including profiling, which has legal effects on them or significantly affects him or her in a similar manner. The Data Controller does not make any decisions based solely on automated processing. 

 

This Information on the processing of personal data is effective from 1 January 2026.