1. Home page
  2. GDPR

Privacy Policy

The company ALFAVARIA Group s.r.o. takes care to protect your privacy.

The administrator of personal data is the business company ALFAVARIA Group s. R. O., With its registered office at Pobřežní 28, 463 31 Chrastava, identification number: 25002678, registered at the Regional Court in Ústí nad Labem, file C10715.

The administrator’s contact details are as follows: delivery address Londýnská 78, 460 01 Liberec, e-mail address alfavaria@alfavaria.cz, telephone 485 100 303.

For better clarity and orientation, the following terms are used frequently in this Policy.

  • E-shop – internet application available on the internet, developed for the purpose of displaying, selecting and ordering goods by the customer, shop.alfavaria.cz,;
  • Personal data – any information about the subject, on the basis of which it can be directly or indirectly identified
  • Registered user – a data subject who has used the possibility to set up and use a user account available on the Administrator’s website
  • Administrator – determines the goals and means of processing. It is we, mostly in the position of the seller of our goods or services.
  • Data subject – a natural person to whom Personal Data relates, most often a customer or a potential customer
  • User account – an account established under the conditions set out in the business conditions, which is protected by a password selected by the User
  • Web – website Administrator www.alfavaria.cz
  • Processor – performs processing activities on the basis of a contract or other authorization for the Administrator
  • Processing of personal data – is any operation or set of operations with personal data or files of personal data, which is performed with or without the help of automated procedures such as collection, recording, organizing, structuring, storing, adapting or modifying, searching, viewing, using, access by transmission, dissemination or any other access, alignment or combination, restriction of deletion or destruction;;

Categories of personal data

The Administrator processes personal data of registered Users as well as its unregistered customers. Specifies processing goals and resources. The administrator does not process sensitive personal data.

Categories of personal data: name, surname, e-mail, mobile phone, billing data, bank connection, user account login, user account behavior, IP address, cookies

Personal data provided voluntarily. Users voluntarily provide personal data to the Administrator, as soon as the User registers, purchases in the Administrator’s E-shop, communicates with support or in another similar way.

Publicly available personal data. The controller may process personal data from publicly available sources and combine them.

Website. The controller processes information about when data subjects visit and views its website. This information may include IP address, web activity and other information about interacting with our website. We may collect this data as part of a log or through cookies or other tracking technologies.

Social networks. The administrator has a profile on Facebook, Google plus and YouTube. Any information, communication or material provided through the social media platform is provided at your own risk. The administrator cannot guard all users of social networks or even providers of these networks. The protection of personal data is addressed separately within each of the mentioned platforms.

If the data subject creates an account on the administrator’s website by logging in via Facebook or Google+ social media, the administrator will not have access to the login passwords for these accounts on social networks.

The data subject may be logged in to Facebook, Google Account, Twitter, Youtube at the same time using the Administrator’s website. The administrator thus allows the data subject to share his / her website experience with the data subject’s friends on his / her social networking profile. You can also link to the administrator’s website by sending via e-mail.

Processing purposes

All the mentioned categories of personal data are processed by the Administrator, as they are necessary for the fulfillment of the following purposes:

User account registration

The e-shop run by the administrator allows registration. During registration, personal data is required in order to create a user account, which is used to list orders that the data subject makes or has already made, retrieve discounts on further purchases, or manage billing and shipping data.

The legal reason for processing personal data for the purposes of registration in the e-shop is the granting of voluntary, unconditional consent of the personal data subject to the administrator, in the form of a confirmation of the Send registration button.

Performance of the contract

The legal reason for processing personal data is the performance of a contract to which the data subject is a party or the implementation of measures taken before the conclusion of the contract.

The processing of personal data is carried out for the purpose of the smooth delivery of goods or services ordered by the data subject.


Sending promotional e-mails to registered users and / or customers to promote similar products and services. The Administrator may send commercial communications to the contacts of its Users or customers, where, based on a legitimate interest, it promotes similar products and services through direct marketing, but only until the recipient disagrees. In addition to the case of legitimate interest, the Administrator may also send commercial communications to those who have given their consent to the processing of personal data for marketing and business purposes in advance. The “Logout” function is set in every marketing communication that the Administrator disseminates, ie even if it communicates with its Users. The administrator usually sends business messages regarding the offer of his products or services twice a month.

Subscription to business messages

The e-shop Administrator allows you to subscribe to business messages (Tips for a professional workshop).

The legal reason for processing personal data for the purpose of sending commercial communications is the granting of voluntary, unconditional consent of the personal data subject to the administrator, in the form of a confirmation of the I want to receive button on the relevant subscription page. Each customer is duly informed through this policy of their rights as a party to personal data protection.

Signing up for business communications takes place in a so-called double opt-in mode, which prevents any misuse of the e-mail address. In practice, this means that after confirming the I want to receive button, a confirmation of the request to receive business messages is sent to the entered e-mail. This confirmation contains an active link, and only by clicking on it will the e-mail be included in the database of recipients of commercial message subscribers.
The administrator uses the Ecomail.cz service to send all business messages.

Sending transactional e-mails.

These are messages for registered Users, to ensure information about the necessary maintenance or error states of the E-shop, as well as about new functionalities. At the same time, this includes e-mails about the status of the order, delivery, etc.


The administrator’s website uses cookies.

Cookies are small files that temporarily store information in your browser and are commonly used to distinguish user behavior on the site. However, the user’s person is not identifiable on the basis of this information. Cookies help, for example:

  • the proper functioning of the site so that the purchase process can be completed with the least difficulty;
  • when remembering account credentials on the site, so you don’t have to enter them every time;
  • Determining which sites and features visitors use most. to adapt our offer as best as possible;
  • help determine which ads visitors view most often so that they don’t see the same ad while browsing, or they don’t see an ad for goods they’re not interested in

Some cookies may collect information which is subsequently used by third parties and which, for example, directly supports our advertising activities (so-called “third party cookies”). For example, information about the products you view may be used to show a visitor on a website outside the webmaster’s site only the advertisement that is relevant to that particular user, without the user being bothered by an advertisement that does not interest them. However, you cannot be identified by this information.

The administrator’s website uses the following third-party cookies:

AdWords (Google Inc), Sklik (Seznam.cz, a. S.), Facebook (Facebook Inc), Heureka (Heureka Shopping s. R. O.), Goods (Seznam.cz, a. S.), Ecomail (Ecomail.cz s. R. O.): For tracking, remarketing
Google Analytics (Google Inc): for web analytics

You can use your web browser to reject cookies or set the use of only certain cookies.

Links to external sites

For optimal information of visitors, the Administrator’s website contains links to third-party websites (usually business partners with whom the Administrator cooperates). If the data subject clicks on this link, they acknowledge that third party sites have their own data protection policies, which may differ from the administrator’s website policies.

Sending the contact form

The Administrator’s website allows you to contact the Administrator via the contact form.

In addition to the question, the name, telephone or e-mail must be entered in the form. By pressing the Send form button, the data subject agrees to the processing of personal data for the purpose of contacting and answering the entered query.

The time for processing personal data in the case of sending a contact form, for which personal data will be stored by the administrator, is the duration of the query, then the personal data are deleted from the administrator’s database.

Other marketing activities on the webmaster

On the administrator’s website you can meet other marketing activities such as: filling out a questionnaire, quiz, participation in the competition, etc. These are extraordinary, time-limited activities, for which it is always stated separately what personal data the administrator collects and how they are further handled.

The personal data that are necessary for the proper provision of the service, resp. in order to fulfill all obligations of the controller, whether these obligations arise from the contract or from generally binding legal regulations, the controller is obliged to process regardless of the consent granted by the data subject for the period specified by the relevant legal regulations, or in accordance with them data.

Compliance with legal requirements, including participation in court proceedings and legal requirements of public administration bodies, including compliance with national security or law.

Scheduled processing time

For the purposes of registration and maintenance of the User Account, all categories of data of this document may be processed for a period of 5 years from the last active inspection of the User Account, unless the data subject requests the cancellation of the account earlier.

For the purposes of fulfilling the rights and obligations arising from the contractual relationship between the controller and the customer, for the duration of the contractual relationship between the controller and the data subject, or for the time necessary to fulfill legal obligations and protect their legitimate interests, but no later than 5 years from the date of termination contractual relationship with the data subject.

The time for processing personal data in the case of sending commercial communications is 2 years from the last active inspection of the commercial communication by the customer, if the data subject does not unsubscribe from the collection earlier.

Exceptions are tax documents issued by the Administrator in accordance with Section 35 of Act No. 235/2004 Coll., Tax documents are kept for a period of 10 years from the end of the tax period in which the performance took place.

Technical, security and organizational measures

Technical and safety measures. The Administrator’s developers work with attorneys to ensure that the Administrator’s sales of goods and services comply with applicable spam and privacy laws. The administrator meets the strict requirements of the GDPR parties.

The administrator cannot disclose all details and circumstances of a technical nature by which it protects its website and e-shop and the personal data it processes. Disclosure of details could make it easier for those who might seek to break systems and security barriers.

Organizational measures. All employees who have access to Personal Data are bound by confidentiality and must respect security principles. Access to all systems within the Application is personalized, covered by passwords that are created in different ways. The systems record logs so that we can control the access of individual employees to individual databases. Employees are regularly trained.

Office. The Administrator’s offices are secure, lockable, and strangers cannot access them without the Administrator’s knowledge. The records kept in paper form are not kept by the Administrator, only where it is absolutely necessary. In this case, the Administrator keeps them under lock and key.

Transfer of personal data to third parties

Our processors. The Administrator uses only trusted processors who provide the Administrator with at least the same guarantees as the Administrator to data subjects. The administrator only uses processors who are from the EU or from countries safe according to the decision of the European Commission. All these partners are bound by the obligation of confidentiality and may not use the provided data for any purposes other than those for which they were made available to them by the administrator.

Our processors are an accounting firm, payment gateways, lawyers, developers or marketing specialists, as well as software and cloud solutions. We use the services and our data can be stored on the servers of SAP SE, Google LLc. We use the services of couriers and carriers of goods, as well as the services of Sklik.cz, Heureka.cz, Zboží.cz. We provide details about our processors on request.

Legal obligations. The Administrator may transfer personal data to third parties if required by law or in response to legal requirements of public authorities or at the request of a court in litigation.

Rights of data subjects

Personal data of the registered User. An administrator who is in the position of administrator may request access to personal data and request the correction, modification, deletion or restriction of the processing of personal data where they are inaccurate or have been processed in violation of applicable data protection laws. The user has the right to the transferability of personal data, to object to the processing of personal data, the right to withdraw consent to the processing of personal data and the right not to be subject to automated individual decision-making, including profiling (which the Administrator does not do).

The rights of data subjects can be exercised on the e-mail alfavaria@alfavaria.cz

The controller shall endeavor to be able to comply with the rights of the data subjects without delay. However, there may be circumstances in which the Administrator cannot provide access (for example, if the requested information endangers the privacy of others or other legitimate rights, or where the cost of providing access would be disproportionate to the risks to individual privacy in the case). The Administrator shall take reasonable steps to verify the identity of the User before taking any action by the parties to the rights of the data subjects.

Details of data subjects’ rights:

Right of access to personal data

Pursuant to Article 15 of the GDPR, you will have the right to access personal data, which includes the right to obtain from the Administrator:

  • confirmation whether it processes personal data,
  • information on the purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data were or will be disclosed, the planned processing time, the existence of the right to request or object to the controller’s correction or deletion of personal data concerning the data subject or restrictions; the right to lodge a complaint with the Authority, of all available information on the source of personal data, if not obtained from the data subject, of the fact that there is automated decision-making, including profiling, of appropriate safeguards when transferring data outside the EU,
  • provided that the rights and freedoms of others are not adversely affected, as well as a copy of personal data.

In the event of a repeated request, the Administrator will be entitled to charge a reasonable fee for the copy of personal data.

The right to correct inaccurate data

According to Article 16 of the GDPR, the data subject has the right to correct inaccurate personal data. The data subject is also obliged to notify changes to his personal data. At the same time, he is obliged to provide co-operation if it is found that the personal data that the Administrator processes about him are not accurate. The repair will be performed by the Administrator without undue delay, but always with regard to the given technical possibilities.

Right to delete

Pursuant to Article 17 of the GDPR, the data subject will have the right to delete personal data concerning him or her unless the controller proves legitimate reasons for the processing of such personal data. The administrator has mechanisms in place to ensure automatic anonymization or deletion of personal data if they are no longer needed for the purpose for which they were processed.

The right to restrict processing

According to Article 18 of the GDPR, the data subject has the right to limit the processing until the complaint is resolved, if he denies the accuracy of the personal data, the reasons for their processing or if he objects to their processing.

The right to be notified of a correction, deletion or restriction of processing

According to Article 19 of the GDPR, the data subject has the right to be notified in case of correction, deletion or restriction of the processing of personal data. If personal data is corrected or deleted, the Administrator will inform individual recipients, except in cases where this proves impossible or requires a disproportionate effort.

The right to the transferability of personal data

Under Article 20 of the GDPR, the data subject has the right to the portability of the data concerning him provided to the controller in a structured, commonly used and machine-readable format, and the right to request the transfer of such data to another controller..

If you provide personal data in connection with the Agreement on the provision of services to the Administrator or on the basis of consent and their processing is performed automatically, you have the right to obtain such data from the Administrator in a structured, commonly used and machine-readable format. If technically feasible, the data may also be transferred to the administrator designated by you, provided that the person acting on behalf of the relevant administrator is duly designated and can be authorized.

In the event that the exercise of this right could adversely affect the rights and freedoms of third parties, your request cannot be complied with.

The right to object to the processing of personal data

Pursuant to Article 21 of the GDPR, the data subject has the right to object to the processing of his personal data on grounds of legitimate interest.

If the Controller fails to demonstrate that there is a serious legitimate reason for processing which outweighs the interests or rights and freedoms of the data subject, he or she shall terminate the processing without undue delay.

If the objection is filed in the case of processing related to direct marketing, then the Administrator will terminate the processing without undue delay.

The right to withdraw consent to the processing of personal data

Consent to the processing of personal data for marketing and business purposes can be revoked at any time after this date. Appeals need to be made an explicit, comprehensible and definite expression of will.

Processing of data from cookies can be prevented by setting a web browser.

Automated individual decision-making, including profiling

The data subject has the right not to be the subject of any decision based solely on automated processing, including profiling, which would have legal effects for him or her in a similar way. The controller states that it does not carry out automated decision-making without the influence of human judgment with legal effects on data subjects.


The goods and services of the Administrator are not primarily intended for persons under the age of 16. The administrator does not knowingly collect personal data from persons under the age of 16.

These policies can only be changed in writing. Users will be informed via the Administrator’s website or via the User Account.

In case of any questions from the parties to our Privacy Policy, please feel free to contact us via e-mail alfavaria@alfavaria.cz. Or you can send a letter to: Londýnská 78, 460 01 Liberec.