Principles of Processing and Protection of Personal Data

I. Basic provisions

1. The Seller processes personal data, in accordance with Act no. 18/2018 Coll. on the protection of personal data and amending certain laws and in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”). 2. The administrator of personal date is under Article 4 (7) of the GDPR Regulation simple story s.r.o., Company ID 51 897 202, with its registered office at Devínska cesta 92, 841 04 Bratislava – the municipality of Devín (the “Administrator”). 3. Contact details of the administrator are: address: Devínska cesta 92, 841 04 Bratislava – city district Devín  E-mail: 4. Personal information is any information relating to you as an identified or identifiable existing person. This could be your name, home address, ID number, Internet Protocol (IP) code, credit card number, login details, etc. 5. The Administrator has not appointed a Data Protection Officer as they are not legally obliged to do so. Personal data is managed by the Administrator themselves.

II. Sources and categories of processed personal data:

1. The Administrator processes the personal information you provided to them or the personal information that the Administrator obtained as a result of your order. 2. The Administrator processes your identification and contact information and the data necessary for performance of the contract and payment for goods and services. 3. The scope or the list of processed personal data is determined by the applicable legal regulations, directly or indirectly results from a concluded contract for the fulfilment of your order, as well as other contractual documentation, or is stated in the consent to the personal data processing. For marketing purposes, the Administrator shall process the following categories of personal data: a. Basic identification data – title, name, surname and address of residence; b. Contact details – e-mail address and phone number` c. Information on the use of products and services – what services we provided you in the past, information on the use of the client zone, and the like, and on the basis of this data we can recommend suitable products and services; d. Information from records of telephone calls or other interactions with you, for example via e-mail, SMS, Facebook, Google or Instagram.

III. Legal reason and purpose of processing personal data:

1. The legal reason for the processing of personal data is: a. performance of the contract between you and the Administrator pursuant to Art. 6 par. 1 (b) of the GDPR; b. the legitimate interest of the Administrator in the provision of direct marketing (for sending business notifications and newsletters) pursuant to Art. 6 par. 1 (f) of the GDPR; 2. The purpose of processing personal data is to create your user account and process your order and to exercise the rights and obligations arising from the contractual relationship between you and the Administrator. The order requires personal data necessary for successful order processing (name and address, contact details). The provision of personal data is a necessary requirement for the conclusion and performance of the contract, without the provision of personal data it is not possible to conclude the contract or execute it by the Administrator. 3. If personal data are processed on the basis of consent for marketing purposes, the main objective of processing is to provide you with the latest information about the current products and services of the Administrator or the offers and services of the Administrator’s business partners, and the processing of personal data is mainly related to the following activities: – The offer of products and services, whereby the Administrator may provide offers in electronic form, in particular in the form of e-mail messages or messages sent to mobile devices via a telephone number or Instagram, Google and Facebook as well as via the client zone; – Automated processing of personal data in order to adapt the offer to your individual needs; – Customer satisfaction surveys related to products and services used. The consent given for marketing purposes is voluntary. However, it is necessary for the Administrator to be able to send individual offers of products and services and other materials and information, but without consent, the Administrator shall not be entitled to provide the services in question. 4. There is no automatic individual decision-making within the meaning of Art. 22 GDPR.

IV. Data retention period

1. The Administrator shall keep personal data: a. for the period necessary to exercise the rights and obligations arising from the contractual relationship between you and the Administrator and to assert claims arising from these contractual relationships (for a maximum of 15 years from the termination of the contractual relationship). b. for as long as the consent to the processing of personal data for marketing purposes is withdrawn, for a maximum of 3 years if the personal data are processed by consent. 2. After the expiry of the personal data retention period, the Administrator shall permanently delete the personal data.

V. Recipients of personal data (Subcontractors of the Administrator)

1. The recipients of personal data are the persons: a. involved in the delivery of goods / services / payments under contract b. providing e-shop operation services and other services related to e-shop operation c. providing marketing services if you have given your consent for direct marketing purposes d. providing payment gateway services 2. The Administrator shall not disclose personal data to a third country (outside the EU) or to an international organization.

VI. Your Rights

1. Under the conditions set out in the GDPR, you have: a. the right of access to your personal data under Art. 15 GDPR, b. the right to have an objection to processing under Art. 21 GDPR and to direct marketing. c. the right to rectify personal data under Art. 16 GDPR, or processing restrictions under Art. 18 GDPR. d. the right to delete personal data under Art. 17 GDPR and the right to be forgotten. e. the right to data portability under Art. 20 GDPR. f. the right to revoke the processing consent in writing or electronically to the Administrator’s address or e-mail referred to in Art. I of these conditions. 2. You also have the right to file a complaint with the Office for Personal Data Protection if you believe that your right to privacy has been violated.

VII. Conditions for securing personal data

1. The Administrator declares that they have taken all technical and organizational measures to safeguard personal data. 2. The Administrator shall take technical measures to ensure data and personal data storage in writing. 3. The Administrator declares that only authorized persons have access to personal data.

VIII. Cookies and similar technologies

1. Our website processes basic cookies that allow you to use basic features such as logging in to a registered user or pre-filling forms and remembering your preferences and operating cookies to record and analyse visitor behaviour on the website and subsequently improve its functionality and appearance. If you disable these cookies, we cannot guarantee the full functionality of our website. This information serves only for comfortable and efficient functioning of the e-shop and is not provided to any third party.

IX. Final Provisions

1. By submitting an order form from the online order form, you confirm that you are familiar with the terms of privacy and that you accept them in their entirety. 2. You agree to these terms by checking your consent using the online form. By checking your consent, you acknowledge that you are familiar with the terms of privacy and that you accept them in full. 3. The Administrator is entitled to change these conditions. They will publish the new version of the Privacy Policy on their website and at the same time they send a new version of the Privacy Policy to your e-mail address you provided to the Administrator. These conditions come into effect on 9 September 2019.