Policy on the processing of personal data and the use of cookies and similar technologies („Privacy Policy“)

At Shoptet, a.s., ID no. 289 35 675, with its registered office at Dvořeckého 628/8, Břevnov, 160 00, Praha 6, Czech Republic, registered in the Commercial Register maintained by the Municipal Court in Prague under Section B, File 25395 („Shoptet“), we consider the personal information of our customers, suppliers and others to be something that needs to be protected. Shoptet acts as a joint controller with Companies Shoptet s.r.o., ID no. 53607791, with its registered office at Galvániho 15/B Bratislava - mestská časť Ružinov 821 04 Slovak Republic, Shoptet Korlátolt Felelősségű Társaság értendő, ID no. 01-09-357795, with its registered office at 1027 Budapest, Kacsa utca 15-23 Hungary and Reshoper s.r.o., ID no. 04180241, with its registered office at Dvořeckého 628/8, Břevnov, 160 00, Praha 6, Czech Republic in processing the personal data of its customers. Whenever "Shoptet" is mentioned, all joint controllers are meant.

Below you will find out how Shoptet approaches the protection of the personal data of its customers, potential customers, suppliers or other data subjects, as appropriate. The processing of personal data is considered strictly confidential and personal data is treated in accordance with applicable data protection legislation, in particular the General Data Protection Regulation (EU) 2016/679 ("GDPR").

Categories of personal data and purposes of processing

Are you looking for Shoptet services or want to test them?

Shoptet has a broad portfolio of products and services. You can find it at www.shoptet.cz or on the individual product or service websites.

If you make a request for these products and services, Shoptet will work with the contact details you provide for this purpose. This is most often your name, surname, email, telephone number, your requirements regarding the products and services, or any other information that you fill out in the request or provide to Shoptet as part of a further arrangement.

If you choose to test Shoptet products, many of them are linked to a user account that you can access the products through. In this case, some personal identification and contact information (first name, last name, IP address, company details, email, phone number and the details you set up in your user account and product) is required.

What are the purposes and legal basis of the processing?

contacting for further agreement (the processing is necessary for the implementation of measures taken before the conclusion of the contract, see Article 6(1)(b) of the GDPR)
communication if you opt for certain products or services (the processing is necessary for the performance of the contract, see Article 6(1)(b) of the GDPR)
compliance with legal obligations (the processing is necessary for compliance with a legal obligation to which the controller is subject, see Article 6(1)(c) of the GDPR)
setting up access to the user interface (the processing is necessary for the performance of a contract, see Article 6(1)(b) of the GDPR)
joint communication if necessary (the processing is necessary for the performance of the contract, see Article 6(1)(b) of the GDPR)
sending periodic Shoptet newsletters (the processing is in the legitimate interest of Shoptet, in particular for marketing promotion of the company and informing about new functionalities and possibilities, see Article 6(1)(f) GDPR)

The data necessary for the performance of the contract or for the implementation of measures taken before the conclusion of the contract will be processed for the duration of any mutual cooperation and thereafter for 10 years from the last provision of the service. If you do not agree on further cooperation with Shoptet, your data in your user account will cease to be processed no later than 6 months after the last communication or cancellation of the trial. The email address will be included in the database for marketing purposes for 3 years from the last use of the service or product, but you can unsubscribe at any time. The data required to comply with a legal obligation is always processed for the period of time specified by law.

If you have tested a service or products of Shoptet, Shoptet is entitled to process your e-mail address (or telephone number) within the meaning of Section 7(3) of Act No. 480/2004 Coll., on Certain Information Society Services and on Amendments to Certain Acts (Act on Certain Information Society Services), as amended, for the purpose of disseminating commercial communications concerning its own products or services, if you have not initially refused such transmission. The email address will be included in the database for 3 years from the last use of the service or product, but you can unsubscribe at any time.

Do you subscribe to Shoptet products or services?

In order to provide its services, Shoptet processes your name, surname, IP address, billing data, e-mail address, telephone number, or personal data of the contact persons you provide, data on the request/provision of services, data on the use of services/products, feedback information and, where applicable, other data related to the manner and content of the services/products used.

What are the purposes and legal basis of the processing?

joint communication and consultative sales (the processing is necessary for the implementation of measures taken before the conclusion of the contract, see Article 6(1)(b) of the GDPR)
the conclusion of the contract itself and the operation of the product or service (the processing is necessary for the performance of the contract, see Article 6(1)(b) of the GDPR)
addressing customer requests (the processing is necessary for the performance of the contract, i.e. to help Shoptet help you use the service correctly, see Article 6(1)(b) of the GDPR)
resolving any issues with the service or products (the processing is necessary for the performance of the contract, i.e. to ensure that the service is available and can be used without restriction, see Article 6(1)(b) of the GDPR)
analysis of how services and products are used, assignment of new product development and product changes (processing with the user's consent, in particular for improving the service and extending its functionalities, see Article 6(1)(a) of the GDPR Regulation, for the duration of the consent given in the browser)
claims management (the processing is necessary for the performance of a contract, see Article 6(1)(b) of the GDPR)
sending periodic Shoptet newsletters (the processing is in the legitimate interest of Shoptet, in particular for marketing promotion of the company and informing about new functionalities and possibilities, see Article 6(1)(f) of the GDPR)
evaluation of the customer's position in the customer journey (the processing is necessary for the performance of the contract, in particular for the effective communication of the customer's current needs and possibilities, see Article 6(1)(b) GDPR)
organisation of consumer competitions and webinars (the processing is necessary for the performance of the contract, i.e. for the proper organisation of the event, see Article 6(1)(b) of the GDPR)
promotion of Shoptet and its customers through the presentation of the cooperation (the processing is with the consent of the participant, see Article 6(1)(a) of the GDPR, for the duration of the consent)
maintenance and operation of IT systems, storage of application logs (the processing is necessary for the performance of the contract, i.e. to ensure the functionality and availability of servers, see Article 6(1)(b) of the GDPR)
the performance of legal or contractual obligations, including invoicing and bookkeeping (the processing is necessary for compliance with a legal obligation to which the controller is subject, see Article 6(1)(c) of the GDPR)

The data required for the performance of the contract or for the implementation of measures taken before the conclusion of the contract will be processed for the duration of the mutual cooperation and thereafter for 10 years from the last provision of the performance. Data processed with your consent is processed for the period specified in the individual consent when it is given. Customer segmentation data is processed for the duration of the cooperation. Data required to comply with a legal obligation is processed for the period of time specified by law.

In the absence of your initial refusal, Shoptet is entitled to process your e-mail address (or telephone number) within the meaning of Section 7(3) of Act No. 480/2004 Coll., on Certain Information Society Services and on Amendments to Certain Acts (Act on Certain Information Society Services), as amended, for the purpose of disseminating commercial communications relating to its own products or services. The e-mail address will be included in the database for 3 years from the last use of the service or product, but you can unsubscribe at any time.

You acknowledge that certain commercial communications may only be sent to certain segments of recipients according to different distribution criteria (e.g. by turnover, by product range, by functionality used, etc.). For this purpose, Shoptet carries out customer segmentation (this is processing in the legitimate interest of Shoptet, in particular for the marketing promotion of the company and to inform you about new functionalities and possibilities in an efficient and customer-specific manner, see Article 6(1)(f) of the GDPR).

Are you a business partner (supplier) of Shoptet?

In order to implement the cooperation, it is necessary to process some data (typically name, surname, e-mail address, telephone number, company data, cooperation data).

What are the purposes and legal basis of the processing?

listing and performance of the contract with the partner (the processing is necessary for the performance of the contract, see Article 6(1)(b) of the GDPR)
joint communication (the processing is necessary for the performance of the contract, i.e. to clarify any discrepancies and requests from the partner or Shoptet, see Article 6(1)(b) of the GDPR)
the performance of legal or contractual obligations, including invoicing and bookkeeping (the processing is necessary for compliance with a legal obligation to which the controller is subject, see Article 6(1)(c) of the GDPR)

In the context of the (for example, affiliate) cooperation between you and Shoptet, some personal data of third parties may also be transferred (for example, cookies, lead and conversion data, delivery data, etc.). In case you are a partner providing add-ons available on Shoptet's add-on marketplace, you may process personal data of Shoptet's customers or personal data for which Shoptet's customers are the data controller. In such cases, as individual (separate) data controllers, both parties are responsible for ensuring that the personal data is handled correctly and securely in accordance with the GDPR. Each party is responsible for its own processes and data security, and each party is also responsible for its own provision of legal title for processing and compliance with the confidentiality obligation.

You don't use Shoptet's services yet, but have you signed up for the newsletter?

Your e-mail address will be entered in the newsletter database by Shoptet on the basis of your consent (Article 6(1)(a) GDPR). This consent is voluntary and can be withdrawn at any time. Shoptet will subscribe you for a period of 3 years unless you renew your consent or withdraw it within this period.

Would you like to work at Shoptet and have you submitted your CV?

In this case, Shoptet will process the data you provide in your CV, the contact details you have provided for this purpose and, where applicable, the details of the case study you are given to solve.

This data will be processed for the duration of the open selection process to which you are responding. If you do not agree to continue working with Shoptet, your data will only be processed longer with your consent (Article 6(1)(a) of the GDPR), in case new positions open up at some point in the future. Such consent is voluntary and you can withdraw it at any time. If you are an employee of a company with which Shoptet has a non-solicitation agreement, your data will be processed for the duration of such agreement.

Recipients of personal data

Your personal data is safe with Shoptet and you can be sure that it is not being passed on to just anyone. Personal data is only disclosed to authorised Shoptet’s employees, including freelancers who access the data to assist Shoptet in the operation of the company and the provision of services, or to individual processors and data controllers, and only to the extent necessary to fulfil the individual purposes of the processing.

The aim of these collaborations is to provide the best and most relevant services to you. Service providers may only use the data thus obtained on the basis of a data transfer agreement or data processing agreement between such recipients and Shoptet.

These are in particular:

freelancers involved in the development and maintenance of our products (IT, marketing, data);
companies involved in securing payments (payment gateways, banks, LogiCall);
providers of the features and add-ons you use in our products and services (carriers, Dotidot);
e-mailing service provider (Hubspot);
server provider (VSHosting);
providers of advertising and analytics systems (Google, Facebook, Seznam, Mixpanel);
operators of applications used internally by Shoptet (Salesforce, Recruitee, Slack, Asana, Miro, Slab, DocuSign, Wflow, Spinoco, Figma, MS Office, Keboola, PBI, Metabase, Userpilot);
data recipients in connection with the use of online analytical, statistical, marketing and remarketing tools (see list below);
and others, if we agree on them in the framework of cooperation (Domio).

If your personal data is transferred outside the European Union, this is done using appropriate transfer mechanisms, including appropriate prior assessments and appropriate security measures. The EU-U.S. Data Privacy Framework is generally used whenever Shoptet transfers personal data to the United States, as well as the Standard Contractual Clauses (SCC) issued by the European Commission when personal data is transferred to other third countries.

Further information or a list of recipients will be provided by Shoptet upon request.

Your rights

If you need to discuss anything about your personal data, you can contact Shoptet by email at info@shoptet.cz or by phone at 604 600 444. . Shoptet has appointed a Data Protection Officer who can be contacted by email at DPO@shoptet.cz.

There is no automated decision-making and profiling on the side of Shoptet.

The GDPR, which regulates the area of personal data, gives you, among other things, a number of rights in relation to the processing of personal data. These include the right to:

access to personal data: to obtain confirmation of whether your personal data is being processed; if so, you have the right to receive a copy of such personal data and, in addition, certain other information, including the purposes of the processing, the categories of recipients, the expected retention period and the existence of automated decision-making (including profiling); once your identity has been verified, this statement will be provided to you in a secure manner and in a comprehensible and easily accessible form;

rectify inaccurate or incomplete personal data: to update or complete information about your person to ensure that the information managed is always correct;

delete personal data: request that your personal data be erased without undue delay if (i) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, (ii) you object to the use of the personal data and there are no longer any overriding legitimate grounds for further processing, (iii) the processing is based solely on your consent and you withdraw that consent, or (iv) the erasure is necessary to comply with a legal obligation or if the personal data has been processed in breach of the law;

restrict the processing of personal data: request restriction of the processing of your personal data if (i) you believe that your personal data is incorrect and have therefore requested that it be rectified (in which case you may request restriction of the processing until it is verified that the personal data is indeed incorrect), (ii) the processing of your personal data is unlawful and you do not consent to the erasure of the personal data but instead request, the use of that personal data is restricted, (iii) you request that your personal data is usable for the establishment, exercise or defence of legal claims even if Shoptet no longer needs it for the purposes of its processing, or (iv) while awaiting verification that Shoptet's legitimate grounds outweigh the rights and freedoms of the individual where you have objected to the processing;

data portability: to obtain the personal data you have provided to us in a structured, commonly used and machine-readable format and to transmit it to another controller for processing; this right applies in cases where the processing of your personal data is based on the lawful ground that you have given your consent to this processing or that you have entered into a contract with Shoptet and the processing is carried out by automated means;

object to the processing, after which the processing of personal data will be terminated, unless it is demonstrated that there are compelling legitimate grounds for the processing which override the interests or rights and freedoms of the data subject, in particular if the ground is the possible enforcement of legal claims;

lodge a complaint with the supervisory authority, which in the Czech Republic is Úřad pro ochranu osobních údajů (www.uoou.cz) and in the Slovak Republic Úrad na ochranu osobných údajov (https://dataprotection.gov.sk/sk/).

Provisions on the processing of personal data of which you are the controller (data processing agreement):

If Shoptet is a processor of personal data for which you are the controller under the GDPR, the following data processing terms and conditions (processing agreement) apply to Shoptet

Shoptet may process personal data for the client that is stored in Shoptet products or to which Shoptet has access for the purpose of developing/improving/maintaining services for the client. This most often includes customer data such as first name, last name, customer delivery addresses, IP addresses, contact details (phone number, email address), purchase and inquiry data, or data related to purchases.
Shoptet will process personal data solely for the purpose of providing its products and services and improving them, or resolving your requests and correcting errors in services and products, unless we agree otherwise on an individual basis. Shoptet will process data for the client for the duration of the provision of its Shoptet products and services in which the data is located. The data is managed by the client, and Shoptet works with it solely on the basis of the client's instructions.
Shoptet has taken all possible technical, organizational, security, and other measures to prevent unauthorized or accidental access to data, its alteration, destruction, loss, or other unauthorized handling (security breach).
As the controller and processor, we have agreed that Shoptet's liability and obligation to compensate for damage or harm caused by a breach of any obligations agreed in the processing contract, arising from instructions or any other agreement, or resulting for Shoptet from legal regulations, with the exception of harm caused intentionally, gross negligence, or natural human rights, is limited to an amount corresponding to the remuneration that Shoptet received from you for providing (exclusively) its services in the calendar month in which the damage occurred.
In the event that Shoptet discovers a personal data breach, it will first assess the risk that such a breach poses to data subjects. When assessing the risk, Shoptet will take into account, in particular, the intensity of the breach and its possible consequences, the type of personal data affected, and the number of data subjects involved. Given the nature of the processing, the client agrees that Shoptet is best able to determine the likely risk arising from the breach.
As soon as Shoptet discovers a personal data breach, it shall report it to the client without undue delay and take appropriate corrective measures to mitigate or eliminate the adverse effects resulting from the breach. In addition to reporting the breach to the client, Shoptet may also report the breach directly to the supervisory authority or notify the data subjects if, based on a risk assessment, Shoptet concludes that the breach is likely to result in a risk to the rights and freedoms of the data subjects concerned. Shoptet will only report or notify the security breach on behalf of the client if (a) it notifies the client of this intention, and (b) the client does not express their disagreement in writing within the specified time limit (typically 48 hours, in order to comply with the deadlines set out in the GDPR) with Shoptet making such a notification to the supervisory authority or data subjects on behalf of the client. If the client does not express its disagreement in writing in a timely manner, Shoptet will notify the supervisory authority and/or data subjects without undue delay, with the proviso that Shoptet may also make such notifications collectively in the event of breaches affecting multiple clients. Shoptet will always inform the client of any notification made to the supervisory authority or data subjects. For this purpose, the client grants Shoptet their express consent, which can only be revoked in writing within the above-mentioned period by expressing their disagreement in writing. Shoptet is not obliged to report or notify a security breach at the client's request if, in Shoptet's assessment, the breach is unlikely to pose a risk to the rights and freedoms of data subjects.
The client acknowledges that they remain fully responsible for reporting or notifying security breaches within the meaning of Articles 33 and 34 of the GDPR and that Shoptet does not assume the responsibility of a personal data controller in this regard, in particular for the timeliness and completeness of reports or notifications. At the same time, reporting or notifying a security breach does not constitute an admission of any misconduct or fault on the part of Shoptet, and Shoptet's liability to clients in this regard is excluded (limited) to the fullest extent possible under applicable law.
Shoptet has ensured that employees and other persons authorized to process data process data only to the extent and for the purpose of fulfilling the contract and in accordance with legal regulations.
Shoptet undertakes to correct, update, delete, or move personal data at the client's request (within the scope of product and service functionality).
Shoptet will exercise due care in fulfilling its obligations under the GDPR.
Shoptet may involve another processor in the processing of personal data, in particular providers of IT and marketing services necessary and currently available on the market for the purposes of maintenance, operation, and development of Shoptet products, who meet the standards set by the European Union, without the additional express specific permission of the client.
In the event of implementing an add-on to the Shoptet product, the client acknowledges and agrees that the data will be processed by the provider of such add-on (third party) in accordance with its terms and conditions.
In the event of termination of the provision of Shoptet products in which personal data is stored, Shoptet will cease to actively process personal data and will delete existing (backup) copies within 60 days at the latest, unless legal regulations require their retention (e.g. for criminal proceedings, etc.).
14. Shoptet undertakes to maintain confidentiality regarding the data, in particular, it may not disclose, disseminate, or transfer it to persons other than employees or other authorized persons. Shoptet shall ensure that its employees and other authorized persons also comply with the confidentiality obligation. This obligation of Shoptet shall continue even after the termination of mutual cooperation.
15. Shoptet is also obliged to maintain confidentiality regarding the security measures taken to ensure the protection of personal data, even after the termination of mutual cooperation.

Use of cookies and similar technologies

Cookies are small data files stored on your computer, phone, or other device when you visit www.shoptet.cz, or its sub-sites operated by Shoptet ("Website/s").

Shoptet uses necessary cookies on the Website and subsequently cookies and similar tools for analytics (preferences), statistics and marketing purposes. These tools personalize content and advertisements, provide social media features, and analyze Website traffic. Shoptet shares information about how the Website is used with its social media, advertising and analytics partners. Partners may combine this information with other information you provide to them or that they obtain as a result of your use of their services.

Purposes of using the tools on the website

Necessary cookies

Necessary cookies help make the Website usable by enabling basic functions such as site navigation and access to secure sections of the Website. The Website cannot function properly without these cookies.

Preference (analytics)

Processing for these purposes allows us to remember information that changes how the Website behaves or looks. This includes, for example, your preferred language or the region where you are located. They also help us to improve the way the Website works, for example by making it easy for users to find what they are looking for. We also use these tools to analyze and regularly improve the functionality of our Websites.

You acknowledge that the analysis of your e-shop administration behavior is carried out by Shoptet on the basis of legitimate interest, by means of tools designed for this purpose, in order to improve the services offered, to carry out statistics and to analyze the use of individual parts of the administration..

Statistics

Processing for statistical purposes helps us understand how visitors use the Website. The collection of data is based on your consent.

Marketing

Processing for these purposes helps Shoptet to track visitors to the Website. The intention is to display advertising that is relevant and interesting to the individual user and thus more valuable to publishers and third-party advertisers, also using other information available to Shoptet or the advertising system provider, for example through other tools or services. Processing for these purposes is only carried out on the basis of your consent.

 Third party tools and data transfer outside the EU

Shoptet uses the following third party tools on the Website:

Marketing tools and their purpose

Google Ads	Advertising and evaluation in the Google search and content network and YouTube
Display & Video 360	Advertising and evaluation in the Google search and content network and YouTube
Správce reklam Meta	Advertising on social media and with Meta partners
Sklik	Advertising and its evaluation in Seznam search, in the Seznam content network and with the company's partners
Microsoft Advertising	Advertising and evaluation in search and on the Microsoft content network and its partners
TikTok Ads	Advertising on social media and with TikTok partners
LinkedIn Ads	Advertising on social media and with LinkedIn partners
MailChimp	Sending emails, segmentation
HubSpot	Sending emails, segmentation, interfacing with customer management system and user engagement tool, website development and user behavior analysis

Analytical tools and their purpose

Google Tag Manager	Managing brands on websites
Cookiebot	Managing cookies and site user consent
Microsoft Clarity	Analysis of web user behavior

CRM tools

Salesforce

Customer management, web analytics and advertising evaluation, segmentation

Brand management tools

Google Tag Manager	Managing brands on websites
Cookiebot	Managing cookies and site user consent

You acknowledge that if you use a website designed for ordering third party partner supplements, cookies or similar tools may be stored by the respective partners whose supplement page you are currently viewing. The respective processing is carried out directly by the partner and information about its purposes or further details are available in the respective information materials of the partner or on request directly from the partner.

Shoptet also uses Google Tag Manager on the Website (more information on privacy security HERE). It is a technical platform that facilitates the provision and management of other web services and programs for tracking Internet sites using so-called "tags". In this context, Google stores cookies on your device and analyses the use of tools to track your browsing behavior. This data sent by the individual tags is combined under a single user interface, stored and processed. In particular, data such as your IP address and your user activity are transmitted to a Google server as part of your use of the Website by activating Google tags, which may also be processed and stored outside the EU, e.g. in the USA, subject to compliance with the relevant security standards. The tracking tools used within Google Tag Manager ensure that the source codes are anonymized before transmission using Google's address manager. Thus, Google Tag Manager can only collect IP addresses anonymously through so-called IP masking.

 Specific overview of tools and files

Upon request, Shoptet will at any time provide you with a list of the specific cookies and tools it uses in relation to you. Another way to get more information about cookies and, if applicable, a current list of cookies is to search for them via the individual web browsers, most often under Developer Tools.