Privacy Policy

PERSONAL DATA PROTECTION TERMS

Privacy is very important to us. For this reason, we continuously analyse all personal data processing procedures and ensure their compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "GDPR"), which is binding for all Member States of the European Union, as well as with national generally binding personal data protection legislation.

Your personal data is processed by our company, Galenoderm s.r.o., as the controller, with its registered office at Nobelova 28, 831 02 Bratislava - Nové Mesto, ID No.: 51 642 921, registered in the Commercial Register of the Municipal Court Bratislava III, Section: Sro, Entry No.: 127536/B, and you can contact us at any time by e-mail at: info@spiridea.com or by phone: +421 2 491 090 33.

This document serves to inform you about the manner and terms of processing your personal data, and about your rights related thereto. We process personal data in areas listed below. Where the period of retention for personal data in any area is determined in years, it will only expire on the last day of the calendar year in which the period should have originally expired for the purpose in question.

1. Purpose, legal basis and the period of retention of personal data

PURPOSE

Ordering and purchase of goods via e-shop:

If you are interested in purchasing goods from our portfolio through our e-shop, we are obliged to process your personal data in order to be able not only to advise you on the selection of goods, but also to receive and properly process your order, deliver the ordered goods, handle complaints, make other claims and perform other related activities and actions.

LEGAL BASIS

We may process your personal data without your consent, as this is necessary for the proper performance of the agreement you have entered into with us.

PERIOD OF RETENTION

During the term of the agreement and 4 years after its termination.

PURPOSE

Customer account:

Goods in our e-shop can also be ordered after you have created your own customer account, through which you can make any future orders, while the details of these orders will be stored in your customer account.

LEGAL BASIS

We may process your personal data that you have provided when registering and logging in to your customer account and data that is subsequently processed in your customer account (e.g. an overview of orders placed), because it is necessary in order to further process your orders, namely in the context of pre-contractual and contractual relations with you.

PERIOD OF RETENTION

For the duration of the registration and the existence of the customer account.

PURPOSE

Direct marketing:

If you have purchased goods from us in the past, it is our interest to offer you the opportunity to purchase other similar goods from our portfolio. For this reason, we will send you an offer of such similar goods that you might be interested in. This is called direct marketing.

LEGAL BASIS

We may process your personal data without your consent, as this is permitted by our legitimate interest, which is to increase the marketability of and demand for our goods, in relation to customers who have already purchased goods from us and who, in our opinion, can reasonably expect that we will offer (send) them further information about similar goods from our portfolio. You always have the right to object to our processing of your data in the context of direct marketing (as set out in point 3).

PERIOD OF RETENTION

For the duration of the contractual relationship with us and 2 years after its termination.

PURPOSE

Advertising and newsletter:

Even in cases where direct marketing is not involved (e.g. you are not yet our customer or we want to offer you goods that are not similar to the goods you have purchased from us), it is our interest to inform you about new products, special promotions and promotional offers.

LEGAL BASIS

We can only do so if you provide us with your consent to process your personal data.

PERIOD OF RETENTION

For the duration of the consent, which you may withdraw at any time (as set out in point 3), but no later than 2 years from the date of consent (after which time we may ask you to consent again and you can freely decide whether or not you choose to do so).

PURPOSE

Suppliers and contractual partners:

If you are our supplier or contractual partner, we need to process your personal data that is necessary for the performance of the agreement we have with you, in particular to communicate with you about the terms of the agreement, to conclude it, as well as to subsequently perform it properly and, if necessary, to enforce its performance.

LEGAL BASIS

We may process your personal data without your consent, as this is necessary to properly perform the concluded agreement.

PERIOD OF RETENTION

During the term of the agreement and 4 years after its termination.

PURPOSE

Contact persons:

If you are only a contact person of our contractual partner (e.g. their statutory body, employee or external worker), we process your personal data required for the performance of the agreement we have concluded.

LEGAL BASIS

In this case, we do not need your consent, since your personal data has to be processed in order to properly perform the agreement under which you have been named as a contact person, and therefore our legitimate interest and the legitimate interest of our contractual partner, for whom you are a contact person, is to ensure the proper and timely performance of such an agreement.

PERIOD OF RETENTION

During the term of the agreement and 4 years after its termination.

PURPOSE

Accounting:

As an accounting entity, we keep accounts in accordance with the relevant generally binding legislation and therefore we also have to process some of your personal data that are included in the accounting records (e.g. incoming and outgoing invoices, cash register entries).

LEGAL BASIS

We process your personal data for this purpose without your consent as it is necessary in order for us to fulfil our legal obligation to keep proper accounting records and to comply with our obligations in this respect.

PERIOD OF RETENTION

For a period of 10 years from the date of the accounting document/supporting document.

PURPOSE

Taxes:

We have obligations arising from tax regulations, in particular in the area of income tax and value added tax, which is why we also have to process your personal data when tax regulations require us to do so.

LEGAL BASIS

We process your personal data for this purpose without your consent, as this is necessary in order for us to comply with our legal obligation under the tax regulations.

PERIOD OF RETENTION

According to generally binding tax legislation, generally for a period of 10 years from the date of the tax document/supporting document.

PURPOSE

Legal claims:

As part of our activities, we monitor and control compliance with legal regulations, attend to legal matters and, if necessary, exercise and enforce our rights and claims or defend against exercised and enforced rights and claims of third parties.

LEGAL BASIS

We may process your personal data without your consent, as this is necessary in order to exercise and enforce our rights and claims or to properly defend against the rights and claims exercised and enforced by third parties, in accordance with the relevant generally binding legislation. The foregoing is our legitimate interest.

PERIOD OF RETENTION

For as long as the rights and claims exist and are enforceable (in particular during the limitation period of the claim).

PURPOSE

Registry management:

We also keep a database of received and sent mail and other records within the registry according to the law, which may contain your personal data if you are, for example, the addressee or recipient of a parcel.

LEGAL BASIS

We process your personal data for this purpose without your consent, as this is necessary for us to comply with a legal obligation under the law in question.

PERIOD OF RETENTION

According to the periods set by us in compliance with the law, or time periods set by us in compliance with the requirement to minimise the retention period, but in the case of routine correspondence mostly 3 years. If it is not clear to you for how long we process your personal data, you can contact us at any time for this purpose.

PURPOSE

Essential cookies:

In order to ensure the functionality and security of our website and its correct loading in your browser, we use essential cookies to enable the basic functionality of the website (you can read more about these cookies in "Cookies").

LEGAL BASIS

We process your personal data because it is in our interest to ensure the proper functioning of the website and its basic functionality. For this reason, we may process the data even without your consent.

PERIOD OF RETENTION

For 7 days from your visit to the website, but no later than the period of time set in your internet browser.

PURPOSE

Non-essential cookies:

In order to make your website user experience more pleasant and efficient, we also use other cookies which are not strictly necessary for the proper functioning of the website but are used, for example, to better tailor advertisements to your interests or to create statistics so that we can adjust the website for better functioning. We also use third-party cookies, such as Google Analytics (you can read more about these cookies in "Cookies").

LEGAL BASIS

We can only process this data on the basis of your consent given to us when you visit our website, while you can choose whether or not to allow cookies. You also have the right to withdraw such consent at any time.

PERIOD OF RETENTION

For as long as consent is given, but no later than 1 year after the visit to the website, unless otherwise stated for each cookie.

PURPOSE

Social networks:

Since we are interested in developing our activities and ensuring the widest possible awareness of our activities, we have set up our own fan pages, user accounts or channels on social networks (especially Facebook and Instagram) through which you can get information about our activities and you can comment, share or like our posts. We will only process your personal data for the purpose of managing and administering the fan pages, user accounts and channels and to obtain anonymised data on statistics.

LEGAL BASIS

We may process the personal data for this purpose even without your consent, as we believe that you can expect us to administer and ensure administration of fan pages, user accounts and channels, which inherently involves the processing of personal data of users who have become our fans, commented on or shared our posts or have otherwise been active on our fan page, user account or channel. In the case statistics are created, these are only made available to us in anonymised form by the social network operators and, in view of the above, we consider that we do not need your specific consent for their disclosure and processing; this is without prejudice to the responsibility of the respective social network operator for the processing of your personal data underlying the creation of these statistics.

PERIOD OF RETENTION

For as long as the fan page, user account, channel exists, but no later than 5 years from the start of the processing of personal data.

PURPOSE

IT security:

As we are very concerned about ensuring data protection and information security in our organisation, we may also process personal data because it is necessary for IT security, security incidents and to deal with other IT administration issues, e.g. by creating a customer account in an information system.

LEGAL BASIS

We may do the above even without your consent, as it is in our interest to protect our information systems and therefore your personal data. In this case we mostly process your IP address data.

PERIOD OF RETENTION

For as long as necessary to ensure the traceability of a security incident, but no later than 6 months.

PURPOSE

GDPR:

Our company is interested in duly complying with all its obligations in the area of personal data protection and therefore we also process your personal data whenever necessary for the handling of inquiries, requests, security incidents and to fulfil our obligations under the GDPR and other generally binding data protection legislation.

LEGAL BASIS

We may carry out the above processing of personal data without your consent, as this is necessary in order to comply with our obligations as a data controller under the GDPR and other generally binding data protection legislation.

PERIOD OF RETENTION

For a period of 5 years from the creation of the output.

2. Recipients or categories of recipients

We protect personal data and do not disclose it to or share it with third parties or entities, except for our contractors who process personal data on our behalf and ensure its protection according to our instructions. This includes, in particular, providers of cloud services (web hosting), accounting, marketing and IT services. Where we use the legal services of auditors, solicitors or other regulated professions, these are considered to be separate data controllers and are therefore obliged to ensure that your personal data is protected on their own terms. Where such an obligation arises by law or by decision of a public authority, your personal data will also be disclosed to public authorities or other bodies.

3. Data subject’s rights

As a data subject, you have several rights under the GDPR, which we would like to draw your attention to:

Right of access to personal data

You have the right to request from us a confirmation as to whether or not we process personal data concerning you and, where that is the case, also the right to basic information about the processing of your personal data. The first provision of the above personal data to the buyer is free of charge. Repeated provision of personal data requested by the data subject will be subject to an administrative fee of EUR 5.

Right to rectification and/or completion of personal data

You have the right to request that we rectify incorrect personal data concerning you without undue delay, as well as the right to have incomplete personal data completed.

Right to erasure of personal data

You have the right to request an immediate erasure of your personal data only if:

• the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
• you withdraw the consent on which the processing is based and where there is no other legal ground for the processing;
• you object to the processing and there are no overriding legitimate grounds for the processing;
• the personal data has been unlawfully processed;
• the personal data has to be erased for compliance with a legal obligation in European Union or Member State law to which we are subject;
• the personal data has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

You can contact us at any time for this purpose and we will then assess whether there are any exceptions in your case where it is not necessary to delete your data even if one of the above conditions is met (e.g. it is required for the exercise of legal claims).

Right to restriction of processing of the personal data

You have the right to obtain from us a restriction of processing of your data (i.e. your data is only stored by us but it is not processed in any other way) if:

• you have contested the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
• we no longer need your personal data for the purposes of the processing, but you need it for the establishment, exercise or defence of legal claims;
• you have objected to processing.

You can contact us at any time for this purpose and we will then assess whether there are any exceptions in your case where your data can also be processed in other ways in addition to storing.

          Right to object to processing of personal data

You have the right to object to processing of your personal data where the processing is necessary for the purposes of the legitimate interests pursued by us or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of your person requiring the protection of personal data. We may only process your personal data if we can demonstrate compelling legitimate grounds for the processing which would override the interests, rights and freedoms or grounds for establishing, exercising or defending legal claims.

Right to personal data portability

If the processing of your personal data is carried out by automated means, on the basis of your consent or for the performance of an agreement, you have the right to obtain the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and you have the right to transfer this data to another person (controller), provided, however, that this is technically feasible.

Right to withdraw the consent to personal data processing

Last but not least, you have the right to withdraw your consent to the processing of personal data concerning you at any time, if you have given such consent, by sending a withdrawal to the above indicated contact details of the controller. The withdrawal of consent does not affect the lawfulness of the processing of personal data based on the consent prior to its withdrawal.

Right to lodge a complaint with a supervisory authority

We hereby also inform you that if you believe that there has been a violation of the rights of natural persons in the processing of your personal data or a violation of the GDPR, you may submit a request for initiation of a personal data protection procedure to the competent supervisory authority (pursuant to Article 77 of the GDPR in the Member State of your habitual residence, place of work or place of the alleged violation), whose contact details can be found here: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.

4. Request to provide personal data

The provision of your personal data, processed by us on the basis of your consent, is voluntary and it is not a legal or contractual requirement, hence your decision not to provide the data has no negative consequences for you. Where the processing of personal data is done on the legal basis of performing an agreement or complying with a legal obligation, your failure to provide the data may result in an impossibility to perform such an agreement or in a breach of a legal obligation. In the case of essential cookies, failure to provide personal data may result in the website not working. In other cases, failure to provide personal data will not have any adverse consequences for you.

The controller has the right to amend these Personal Data Protection Terms. They will publish the new version of the Personal Data Protection Terms on their website and at the same time send the new version of the Personal Data Protection Terms to your e-mail address which you have provided to the controller.

The present Terms become effective as of 07.03.2025