Datenschutzerklärung

This Privacy Policy describes how we process your personal data in connection with the operation of the online store at www.wavepouches.com. We act in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the GDPR) and Czech Act No. 110/2019 Coll., on the Processing of Personal Data.

1. Identity and contact details of the controller

The controller of your personal data is:

• Name: Filip Matějka
  
  
• Place of business: Frostova 336/23, 109 00 Praha-Petrovice, Czech Republic
  
  
• Business ID No. (IČO): 01304241
  
  
• Registration: Czech Trade Licensing Register; not a VAT payer
  
  
• E-mail: zakaznici@wavepouch.cz

(hereinafter the “Controller”)

The Controller has not appointed a Data Protection Officer, as it is not obliged to do so under Article 37 of the GDPR.

2. Legal basis and purpose of processing

We process your personal data on the following legal grounds:

• Performance of a contract (Article 6(1)(b) GDPR) - processing is necessary for the performance of your order, delivery of goods, handling of complaints, and communication regarding your purchase.
  
  
• Compliance with a legal obligation (Article 6(1)(c) GDPR) - in particular obligations arising from accounting and consumer protection legislation.
  
  
• Legitimate interest (Article 6(1)(f) GDPR) - for direct marketing to existing customers, protection of our legal claims, and ensuring website security.
  
  
• Consent (Article 6(1)(a) GDPR) - for sending newsletters to persons who have not yet purchased from us, for processing of analytical and marketing cookies, and for other purposes for which you have explicitly given us consent.

3. Categories of personal data processed

We only process the data necessary for the above purposes:

• name and surname,
  
  
• contact address (street, house number, city, postal code, country),
  
  
• e-mail address and phone number,
  
  
• payment data (account number, payment data - card details are processed by the payment gateway, not by us),
  
  
• order history and communication,
  
  
• Business ID and Tax ID (for self-employed natural persons),
  
  
• technical data (IP address, device identifiers, cookies, website browsing data).
  
  
• 4. Data retention period

We keep your personal data only for the time strictly necessary:

• Data processed for performance of a contract: for the duration of the contractual relationship and subsequently for the general limitation period (typically 3 years from termination of the contractual relationship).
  
  
• Accounting documents: for 5 years from the end of the accounting period to which they relate, in accordance with Czech Act No. 563/1991 Coll., on Accounting.
  
  
• Data for marketing purposes (newsletter): until consent is withdrawn or an objection to processing is raised (no longer than 5 years from the last contact with the customer).
  
  
• Cookies: according to the cookie banner settings and cookie type (max. 24 months).

5. Recipients of personal data (processors)

Your personal data may be passed to the following categories of trusted processors with whom we have concluded a data processing agreement, or with whom equivalent contractual arrangements are in place:

• E-commerce platform provider: Shopify International Limited (Ireland) - provider of the Shopify platform on which the online store operates.
  
  
• Carrier: Zásilkovna s.r.o., ID No.: 28408306, with registered office at Lihovarská 1060/12, 190 00 Prague 9 (operator of the Packeta and Z-BOX network) - for the purpose of delivery of consignments.
  
  
• Payment service provider: Shopify Payments / Stripe Payments Europe Ltd. (Ireland) - for processing card, Apple Pay and Google Pay payments.
  
  
• Accounting and tax advisors: external accounting firm - for compliance with statutory accounting and tax obligations.
  
  
• Marketing and analytics tools: Google Ireland Ltd. (Google Analytics, Google Ads), Meta Platforms Ireland Ltd. (Facebook/Instagram pixel) - only to the extent of granted cookie consent.
  
  
• E-mail marketing provider: Klaviyo, Inc. (USA) via Klaviyo EU Limited (Ireland) - for sending newsletters and transactional e-mails.

6. International transfers of personal data

Some of the processors listed above (in particular Shopify, Stripe, Klaviyo and Google) may, in the course of providing their services, transfer your personal data to third countries outside the European Economic Area, typically to the United States. Such transfers are carried out in accordance with the GDPR, in particular on the basis of:

• a European Commission adequacy decision (EU-U.S. Data Privacy Framework for certified entities in the United States),
  
  
• standard contractual clauses approved by the European Commission (Article 46(2) GDPR),
  
  
• or other appropriate safeguards under Article 46 GDPR.

7. Your rights under the GDPR

As a data subject, you have the following rights with respect to your personal data:

• Right of access (Article 15 GDPR) - you can request information on what data we process about you.
  
  
• Right to rectification (Article 16 GDPR) - you have the right to have incomplete or incorrect data corrected.
  
  
• Right to erasure (“right to be forgotten”, Article 17 GDPR) - if data is no longer needed for the given purpose or you withdraw consent.
  
  
• Right to restriction of processing (Article 18 GDPR) - in cases set out in the Regulation.
  
  
• Right to data portability (Article 20 GDPR) - to obtain your data in a structured, commonly used and machine-readable format.
  
  
• Right to object (Article 21 GDPR) - to processing based on legitimate interest, including direct marketing.
  
  
• Right to withdraw consent (Article 7(3) GDPR) - at any time for processing based on consent, without affecting the lawfulness of processing carried out before withdrawal.
  
  
• Right to lodge a complaint with the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.gov.cz - a complaint may be filed without prior contact with the Controller. Consumers domiciled in another EU Member State may also lodge a complaint with their local supervisory authority.

You can exercise your rights in writing at the Controller’s place of business or electronically at the e-mail address zakaznici@wavepouch.cz. We will respond to your request without undue delay, no later than 30 days after receipt.

8. Automated decision-making and profiling

In the processing of your personal data, no automated individual decision-making within the meaning of Article 22 GDPR takes place, nor any profiling with legal or similarly significant effects.

9. Cookies

Our website uses cookies. Detailed information (types, purpose, retention period and management options) is provided in the separate document “Cookie Policy”, available on the Website, or within the cookie banner. You can change your consent to analytical and marketing cookies at any time via the cookie banner settings.

10. Data security

We declare that we have adopted all appropriate technical and organisational measures to secure personal data (in particular HTTPS-encrypted communication, access rights management, regular backups and system updates) to prevent unauthorised access, loss, destruction or disclosure.

11. Final provisions

This Privacy Policy comes into effect on 7.5.2026. The Controller reserves the right to amend the Privacy Policy. The current version is always published on the Seller’s Website.

Prague, 7.5.2026.