1. Introduction and Scope

1.1.
This Privacy Policy (the “Policy”) sets out, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), as well as the applicable provisions of Czech law, the principles, rules, and procedures governing the collection, storage, use, and disclosure of personal data processed through the online store accessible at www.hanzoblades.com (the “Website”).

1.2.
This Policy applies to all individuals visiting the Website, placing orders through the Website, or otherwise interacting with the operator in connection with the offering, sale, and delivery of goods. For the avoidance of doubt, “personal data” shall mean any information relating to an identified or identifiable natural person as defined under Article 4(1) GDPR.

2. Categories of Personal Data Processed

2.1. Identification and contact data.
In order to conclude purchase contracts, deliver goods, provide support, and meet statutory obligations, we collect and process identification and contact data. Such data typically includes first and last name, residential and delivery address, billing address (if different), telephone number, and email address. This data is necessary not only for the performance of the contract but also to ensure that communications concerning orders, deliveries, and after-sale matters are properly directed to the correct recipient. Without provision of this information, the operator would not be able to fulfil its contractual duties or to comply with statutory obligations relating to accounting and tax documentation.

2.2. Payment and transaction data.
Where a purchase is made, data relating to the transaction shall be processed. Such data comprises the chosen payment method, payment status, payment reference, invoicing data, and transaction amounts. Please note that for card payments or payments made via third-party gateways, the operator does not itself store complete card details; these are processed directly by the authorised payment service provider in compliance with PCI-DSS standards. Nevertheless, the operator may process confirmations of payment, identifiers generated by the payment system, and other records strictly necessary to prove that an order has been paid. This information is essential both for contractual fulfilment and for compliance with statutory obligations in the areas of taxation, accounting, and prevention of fraudulent activity.

2.3. Technical and usage data.
When accessing and browsing the Website, certain technical information is automatically collected. This includes IP addresses, device identifiers, browser types, operating systems, and usage logs, as well as cookies and analytics data. Such data may be used to ensure the secure and stable operation of the Website, to analyse usage patterns, and to optimise the performance and functionality of the Website. For the avoidance of doubt, the operator shall only deploy cookies and similar technologies in accordance with the Cookie Policy and subject to the consents and preferences expressed by the user.

3. Purposes and Legal Bases of Processing

3.1.
Personal data shall only be processed for specified and legitimate purposes, namely:

Contractual performance
The processing of personal data is necessary to conclude purchase contracts, deliver ordered goods, communicate regarding orders, and provide warranty or return handling.

Legal compliance
The operator is subject to statutory duties, particularly under Czech accounting and tax laws, which require the retention and disclosure of certain data.

Customer support
To respond to enquiries, provide assistance, and handle complaints or warranty claims.

Marketing (with consent)
Where individuals have provided explicit consent, personal data (in particular, email addresses) may be used for the distribution of newsletters, promotions, or other marketing communications. Such consent is voluntary and may be withdrawn at any time without affecting the lawfulness of processing prior to withdrawal.

Legitimate interests
The operator may process certain technical data for the purposes of fraud prevention, ensuring network and information security, and improving the quality of services.

4. Retention of Personal Data

4.1.
The operator shall not retain personal data for longer than necessary for the purpose for which it is processed. Retention periods are determined by statutory obligations as well as operational needs:

Order and invoicing data shall be retained for a minimum period of ten (10) years from the end of the taxable period in which the transaction occurred, in order to comply with Czech accounting and tax regulations.

Marketing data (email addresses used for newsletter distribution) shall be retained until such time as consent is withdrawn by the data subject. Withdrawal of consent can be exercised at any time via the unsubscribe mechanism included in marketing communications or by direct request to the operator.

Technical and cookie data shall be retained in accordance with the Cookie Policy, generally only for the period necessary to provide the requested service or for a shorter duration as determined by the user’s browser or device settings.

5. Rights of Data Subjects

5.1.
In accordance with GDPR, individuals whose data is processed enjoy the following rights:

Right of access
The right to obtain confirmation as to whether personal data is being processed, and, if so, to access such data along with information about the processing.

Right to rectification
The right to request correction of inaccurate or incomplete personal data.

Right to erasure
The right to request deletion of personal data, particularly where it is no longer necessary for the purposes for which it was collected or where consent has been withdrawn.

Right to restriction of processing
The right to request limitation of processing in certain circumstances, such as pending verification of accuracy or objection to processing.

Right to portability
The right to receive personal data provided to the operator in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

Right to object
The right to object at any time to processing of personal data based on legitimate interests or for direct marketing purposes.

5.2.
Data subjects also have the right to lodge a complaint with the competent supervisory authority, which in the Czech Republic is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, www.uoou.cz).

6. Contact and Provisions

6.1.
All requests, queries, or assertions of rights under GDPR may be addressed to the operator at the following contact point: info@hanzoblades.com.

6.2.
This Privacy Policy is issued by the operator of the Website, spacepace s.r.o., Pobrezni 97/40, Karlin, 186 00 Prague, Czech Republic, ID 06750753, VAT CZ06750753, registered in the Commercial Register maintained by the Municipal Court in Prague.

7. Data Sharing and Transfers

7.1.
Personal data shall not be sold or otherwise disclosed to unrelated third parties. However, personal data may be shared with certain processors and service providers, strictly on the basis of data processing agreements ensuring compliance with GDPR.

7.2.
Recipients of data may include: Payment providers, for the processing of payments. Delivery companies and logistics partners, for the delivery of goods. IT service providers, for the hosting, maintenance, and operation of the Website.

7.3.
In the event that personal data is transferred outside the European Union or the European Economic Area, such transfer shall take place only where an adequacy decision by the European Commission exists, or under standard contractual clauses or other appropriate safeguards in accordance with Chapter V GDPR.

8. Security Measures

8.1.
The operator undertakes to apply appropriate technical and organisational measures to secure personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures may include encryption, secure storage, restricted access policies, regular monitoring, and contractual safeguards with processors.

9. Amendments to the Policy

9.1.
The operator reserves the right to amend or supplement this Policy at any time, in particular to reflect changes in legislation, regulatory guidance, or operational practices. Updated versions of this Policy shall be published on the Website with the effective date clearly indicated.