Privacy Policy – Cupranova.com

Privacy Policy

Effective from 1 May 2026

This Privacy Policy (the “Policy”) describes how ALTEVITA Group, s. r. o. (“We” or the “Controller”) processes the personal data of natural persons in connection with operating the online shop www.cupranova.com (the “Shop”).

This Policy is drafted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (the “GDPR”) and the Slovak Act No. 18/2018 Coll. on the Protection of Personal Data, as amended.

Protecting your personal data is important to us. We process it transparently, only to the extent necessary, and only for the purposes set out in this Policy.

1. Controller and contact details

The data controller is the company set out in the table above.

The Controller has not appointed a Data Protection Officer (DPO) as this is not required by law. For all matters relating to the protection of personal data, you may contact us at shop@cupranova.com or in writing at the registered office address.

2. Definitions

• Personal data – any information relating to an identified or identifiable natural person.
• Processing – any operation performed on personal data (collection, storage, use, deletion, etc.).
• Controller – the entity determining the purposes and means of processing (in this case, us).
• Processor – a third party processing personal data on behalf of the Controller under a contract.
• Data subject – the natural person whose personal data we process (you).
• Consent – any freely given, specific, informed and unambiguous indication of the data subject’s wishes.

3. What data we process, for what purposes and on what legal basis

We process personal data exclusively for specific, explicitly stated and legitimate purposes:

3.1 Order processing and performance of the purchase contract

• Categories of data: first name and surname, delivery and billing address, e-mail address, phone number, order details, payment details.
• Legal basis: 6(1)(b) GDPR – processing is necessary for the performance of a contract.
• Retention period: for the duration of the contractual relationship and subsequently 10 years in accordance with accounting and tax regulations.

3.2 Issuance and retention of accounting documents

• Categories of data: identification and billing data, data from invoices and tax documents.
• Legal basis: 6(1)(c) GDPR – compliance with a legal obligation (Slovak Accounting Act No. 431/2002 Coll., VAT Act No. 222/2004 Coll.).
• Retention period: 10 years following the year to which they relate.

3.3 User account

• Categories of data: name, e-mail, password (hashed), order history and saved addresses.
• Legal basis: 6(1)(b) GDPR – performance of a contract (providing the account service).
• Retention period: until the account is closed at your request or for up to 5 years of inactivity.

3.4 Handling complaints and contract withdrawals

• Categories of data: identification and contact data, order data, defect description, refund details.
• Legal basis: 6(1)(c) GDPR – compliance with a legal obligation.
• Retention period: 4 years from settlement of the complaint or withdrawal.

3.5 Newsletter (if active)

• Categories of data: e-mail address, name (if provided).
• Legal basis: 6(1)(a) GDPR – consent of the data subject.
• Retention period: until consent is withdrawn (you can easily unsubscribe from each newsletter).

3.6 Marketing communications to existing customers

• Categories of data: e-mail address, information about previous purchases.
• Legal basis: 6(1)(f) GDPR – legitimate interest in direct marketing (Recital 47 GDPR). You can unsubscribe from marketing communications at any time.
• Retention period: 3 years from the last purchase or until you object.

3.7 Contact form and e-mail correspondence

• Categories of data: name, e-mail, message content.
• Legal basis: 6(1)(f) GDPR – legitimate interest in handling inquiries.
• Retention period: 1 year from the last communication.

3.8 Product ratings and reviews

• Categories of data: name or nickname, e-mail, review content.
• Legal basis: 6(1)(a) GDPR – consent.
• Retention period: for the duration of the review being published or until consent is withdrawn.

3.9 Cookies and analytics tools

• Categories of data: cookie identifiers, IP address, browser and device data, behavioural data on the Shop.
• Legal basis: for technically necessary cookies – Art. 6(1)(f) GDPR (legitimate interest in the functioning of the Shop). For analytics, marketing and personalisation cookies – Art. 6(1)(a) GDPR (consent given via the cookie banner).
• Retention period: depending on the cookie type (set out in the cookie banner); consent is valid for a maximum of 12 months.

4. Recipients of personal data

We share your personal data only to the extent necessary with the following categories of recipients:

4.1 Processors

• Carriers: Packeta, DPD, GLS, national postal services, GEIS – for the purpose of delivering goods.
• Payment service providers: banks, payment gateways and online payment service providers – for the purpose of processing payments.
• Hosting and IT infrastructure provider – for operating the Shop and storing data.
• E-mail service providers (transactional and marketing e-mails).
• Accounting firm – for bookkeeping.
• Analytics and marketing service providers (e.g. Google Analytics, Meta Ads – if deployed and subject to your consent).

4.2 Third parties

• Public authorities – where such an obligation arises from law (e.g. tax authorities, courts).
• Lawyers, bailiffs, courts – in the case of enforcement or defence of legal claims.

5. Transfer of personal data to third countries

Some of our processors (notably providers of IT services, analytics and marketing tools) may process personal data outside the European Economic Area (EEA), typically in the USA.

In such cases, the transfer is always secured by one of the following mechanisms within the meaning of Chapter V of the GDPR:

• an adequacy decision of the European Commission (e.g. EU-US Data Privacy Framework);
• standard contractual clauses approved by the European Commission;
• other appropriate safeguards under Art. 46 GDPR.

6. Your rights as a data subject

In connection with the processing of your personal data, you have the following rights under the GDPR:

• Right of access (Art. 15 GDPR) – obtain confirmation as to whether we process your personal data and a copy of such data.
• Right to rectification (Art. 16 GDPR) – correct inaccurate or complete incomplete personal data.
• Right to erasure – the “right to be forgotten” (Art. 17 GDPR).
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR).
• Right to object (Art. 21 GDPR) – to processing based on legitimate interest or for direct marketing purposes.
• Right to withdraw consent at any time (Art. 7(3) GDPR), without affecting prior processing.
• Right not to be subject to automated decision-making including profiling (Art. 22 GDPR).
• Right to lodge a complaint with a supervisory authority.

You can exercise your rights by e-mail at shop@cupranova.com or in writing at the registered office. We will respond within 30 days of receiving the request (the deadline may be extended by up to 60 days for complex requests, of which we will inform you).

Supervisory authority

• The lead supervisory authority for the Controller is: Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27, dataprotection.gov.sk.
• EU/EEA data subjects may also lodge a complaint with the supervisory authority in their country of habitual residence.

7. Automated decision-making and profiling

When processing your personal data, we do not carry out automated individual decision-making, including profiling, that would produce legal effects concerning you or similarly significantly affect you.

8. Cookies

The Shop uses cookies and similar technologies to ensure basic functionality, analyse traffic, customise content and for marketing purposes.

On your first visit to the Shop, a cookie banner is displayed where you can manage your preferences. Strictly necessary cookies function without consent; other categories are activated only after you have given consent, which you can withdraw at any time in the settings.

9. Security of personal data

We have implemented appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction or misuse, in particular:

• encrypted data transmission via HTTPS (TLS);
• access controls and multi-factor authentication for system administration;
• hashing of user account passwords;
• regular data backups;
• regular updates of software components and the server environment.

10. Final provisions

We may update this Policy from time to time. The current version is always published on the Shop together with the effective date. We will inform you of material changes (e.g. by e-mail or notice on the Shop).

This Policy enters into force on 1 May 2026.