Privacy policy

I. Basic Provisions

  1. The controller of personal data pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and Act No. 18/2018 Coll. on the Protection of Personal Data is:

 

NAFLEX s.r.o.

Company ID: 53386370

Registered office: Dopravná 2095/18, 955 01 Topoľčany

(hereinafter referred to as the “Controller”).

 

  1. The contact details of the Controller are:

Address: Landererova 8, 811 09 Bratislava

 

  1. Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is a person who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

 

 

 

II. Sources and Categories of Processed Personal Data

The Controller processes personal data that you have provided or personal data obtained by the Controller based on the fulfillment of your order.

The Controller processes mainly the following data:

• first and last name

• delivery address

• email address

• phone number

• order information

• technical data about website usage (for example IP address)

 

 

III. Legal Basis and Purpose of Personal Data Processing

The legal basis for processing personal data is:

• performance of a contract between you and the Controller pursuant to Article 6(1)(b) GDPR

• the Controller’s legitimate interest in providing direct marketing pursuant to Article 6(1)(f) GDPR

• your consent to the processing of personal data for sending marketing communications and newsletters pursuant to Article 6(1)(a) GDPR

The purpose of processing personal data is:

• processing your order and fulfilling rights and obligations arising from the contractual relationship

• communication with the customer

• sending marketing communications and commercial information

• improving services and website functionality


The Controller does not carry out automated individual decision making or profiling.


The website may use cookies to ensure proper website functionality, analyze traffic, and for marketing purposes. Details about the use of cookies are provided in a separate Cookies Policy document.

 

 

IV. Personal Data Retention Period

The Controller stores personal data:

• for the time necessary to fulfill rights and obligations arising from the contractual relationship and to assert claims from these relationships, for a maximum of 10 years after the termination of the contractual relationship

• until consent to the processing of personal data for marketing purposes is withdrawn, for a maximum of 5 years

After the retention period expires, the Controller deletes the personal data.

 

 

V. Recipients of Personal Data (Processors)

Recipients of personal data are mainly persons:

• involved in the delivery of goods or processing of payments

• providing e-commerce platform services

• providing marketing and analytical services

• providing cloud or IT services


The Controller may particularly use services provided by:

• e-commerce platform providers

• email service providers

• marketing and analytics tools

• shipping companies responsible for order delivery


Some of these providers may be located outside the European Union. In such cases, the transfer of personal data is carried out in accordance with GDPR requirements.

 

 

VI. Your Rights

Under the conditions set out in GDPR, you have the right to:

• access your personal data

• correct inaccurate personal data

• request the deletion of personal data

• restrict processing

• object to processing

• data portability

• withdraw consent to the processing of personal data


If you believe that your data protection rights have been violated, you have the right to lodge a complaint with:

The Office for Personal Data Protection of the Slovak Republic.

 

 

VII. Conditions for Securing Personal Data

The Controller has adopted appropriate technical and organizational measures to secure personal data.


The Controller has implemented technical measures to secure data storage and personal data in both electronic and physical form.


Only authorized persons have access to personal data.

 

 

VIII. Final Provisions

These privacy policy terms are available on the Controller’s website.

The Controller is entitled to modify these terms. The new version will be published on the website.

These terms become effective on 16 February 2026.