Personal Data Processing Policy (GDPR)#
Last Updated: November 23, 2024
Table of Contents#
- 1. Introduction
- 2. Data Controller
- 3. What Personal Data We Process
- 4. Purpose and Legal Basis for Processing
- 5. Sharing Personal Data with Third Parties
- 6. Transfer of Data to Third Countries
- 7. Personal Data Retention Period
- 8. Your Data Subject Rights
- 8.1 Right of Access (Art. 15 GDPR)
- 8.2 Right to Rectification (Art. 16 GDPR)
- 8.3 Right to Erasure "Right to be Forgotten" (Art. 17 GDPR)
- 8.4 Right to Restriction of Processing (Art. 18 GDPR)
- 8.5 Right to Data Portability (Art. 20 GDPR)
- 8.6 Right to Object (Art. 21 GDPR)
- 8.7 Right to Withdraw Consent
- 8.8 Right to Lodge a Complaint
- 9. Personal Data Security
- 10. Automated Decision-Making and Profiling
- 11. Children and Minors
- 12. Changes to This Policy
- 13. Contact
1. Introduction#
This personal data processing policy explains how Wellness Shop (hereinafter "we", "us" or "our company") collects, uses, stores and protects your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of personal data (GDPR).
Your privacy is important to us. We are committed to protecting your personal data and handling it transparently and securely.
2. Data Controller#
The controller of your personal data is:
Wellness Shop
Email: [email protected]
Web: fatburn.io
If you have any questions regarding the processing of your personal data, you can contact us at the email address above.
3. What Personal Data We Process#
As part of operating our multi-product online shop for wellness and weight-management products, we may process the following categories of personal data:
3.1 Data Provided During Registration and Ordering#
- Identification data: first name, last name
- Contact data: email address, phone number
- Delivery data: delivery address (street, city, postal code, country)
- Billing data: billing address, VAT number (for legal entities)
3.2 Order and Purchase Data#
- Order history
- Purchased products
- Payment methods (we do not store sensitive payment data such as card numbers)
- Delivery preferences
3.3 Communication Data#
- Email correspondence or via contact form
- Product and health recommendation inquiries
- Customer support and complaints
3.4 Technical Data#
- IP address
- Device and browser information
- Cookies and similar technologies
- Website traffic data
3.5 Health Data (Special Category)#
Notice: In some cases, we may process sensitive health data:
- Health status information voluntarily shared in inquiries
- Allergies or contraindications relevant to the use of our products
- Health goals (weight loss, increased energy)
Processing of health data occurs only with your explicit consent and is limited to the minimum necessary to provide quality customer support.
4. Purpose and Legal Basis for Processing#
4.1 Performance of Contract (Art. 6(1)(b) GDPR)#
- Processing and fulfilling orders
- Delivery of ordered products
- Communication regarding orders
- Issuing invoices and tax documents
4.2 Legal Obligation (Art. 6(1)(c) GDPR)#
- Accounting and tax obligations
- Document archiving according to applicable laws
- Fulfilling obligations arising from EU or member state law
4.3 Legitimate Interest (Art. 6(1)(f) GDPR)#
- Protection against fraud and abuse
- Improving our services and products
- Marketing communication (with opt-out option)
- Traffic and user behavior analysis
4.4 Consent (Art. 6(1)(a) GDPR)#
- Sending marketing newsletters
- Processing health data (Art. 9(2)(a) GDPR)
- Content and offer personalization
- Use of optional cookies
You can withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
5. Sharing Personal Data with Third Parties#
We may share your personal data with the following categories of recipients:
5.1 Service Providers (Processors)#
- Delivery services: for product delivery (e.g., Czech Post, DPD, GLS)
- Email services: for order delivery and communication
5.2 Analytical and Marketing Tools#
- Google Analytics – traffic analysis
- Google Ads, Facebook – advertising campaigns
5.3 Public Authorities#
We may be required to disclose your data to government authorities in cases prescribed by law (e.g., tax office, police).
All our processors are carefully selected and contractually bound to comply with GDPR and ensure protection of your personal data.
6. Transfer of Data to Third Countries#
Some of our service providers may process data outside the European Union (e.g., USA). In such cases, we ensure that:
- There is a European Commission adequacy decision, or
- Appropriate safeguards are implemented (e.g., EU standard contractual clauses)
7. Personal Data Retention Period#
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Orders and invoices | 10 years | Tax regulations |
| Accounting documents | 10 years | Accounting Act |
| Customer contact data | Until consent withdrawal or 3 years from last order | Legitimate interest |
| Marketing consents | Until consent withdrawal | Consent |
| Health data | Until consent withdrawal | Consent |
| Technical logs | 6 months | Legitimate interest |
After the retention period expires, data is securely deleted or anonymized.
8. Your Data Subject Rights#
Under GDPR, you have the following rights:
8.1 Right of Access (Art. 15 GDPR)#
You have the right to obtain confirmation from us as to whether or not your personal data is being processed, and if so, you have the right to access that data.
8.2 Right to Rectification (Art. 16 GDPR)#
You have the right to rectify inaccurate personal data and to have incomplete data completed.
8.3 Right to Erasure "Right to be Forgotten" (Art. 17 GDPR)#
Under certain circumstances, you have the right to request erasure of your personal data.
8.4 Right to Restriction of Processing (Art. 18 GDPR)#
You can request restriction of processing of your data in certain situations.
8.5 Right to Data Portability (Art. 20 GDPR)#
You have the right to receive your personal data in a structured, commonly used and machine-readable format and the right to transmit that data to another controller.
8.6 Right to Object (Art. 21 GDPR)#
You have the right to object at any time to processing of your personal data based on legitimate interest or for direct marketing purposes.
8.7 Right to Withdraw Consent#
If processing is based on consent, you have the right to withdraw consent at any time.
8.8 Right to Lodge a Complaint#
You have the right to lodge a complaint with a supervisory authority:
Office for Personal Data Protection
Pplk. Sochora 27, 170 00 Prague 7
Email: [email protected]
Web: www.uoou.cz
To exercise your rights, contact us at: [email protected]
9. Personal Data Security#
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction or alteration:
Technical Measures:#
- Encryption: HTTPS/TLS for data transmission
- Encrypted storage: sensitive data in database
- Regular backups: protection against data loss
- Firewall and security monitoring
- Updates and security patches
Organizational Measures:#
- Restricted access: only authorized persons
- Employee training on personal data protection
- Processing agreements with external processors
- Security policies and procedures
10. Automated Decision-Making and Profiling#
We do not use automated decision-making or profiling that would have legal or similarly significant effects on your rights.
We may use basic personalization (product recommendations based on purchase history), but these processes do not significantly impact your rights and you can opt out.
11. Children and Minors#
Our products are intended for adults over 18 years of age. We do not knowingly collect personal data from children under 18 without parental or guardian consent.
If we discover that we have inadvertently collected data from a child under 18, we will promptly delete it.
12. Changes to This Policy#
We may update this policy from time to time to reflect changes in our practices or for legal reasons.
We will inform you about significant changes:
- By notice on our website
- By email (if we have your address)
We recommend regularly reviewing this policy to stay informed about how we protect your data.
13. Contact#
For any questions, requests or complaints regarding personal data protection, contact us:
Email: [email protected]
General inquiries: [email protected]
We will respond within 30 days of receiving your request.
By using our services, you confirm that you have read and understood this personal data processing policy.