Data Controller Information:

Name: Programme Health a. s.
Address: Drobného 27, 841 01 Bratislava
Company ID (IČO): 46 433 350
Tax ID (DIČ): 2023397002
Registration: Commercial Register of the District Court Bratislava I, Section: Sa, Insert Number: 5436/B
IBAN: SK70 1100 0000 0029 2186 7388
Phone: +421 918 888 807
Email: info@ioy.sk
Data Protection Officer: Ivana Bartošová

If clients have any questions about this document or the use of their personal data or wish to exercise their rights described in this document, they can contact the Data Protection Officer by email at info@ioy.click or in writing at the company's registered address.

Processed Personal Data

Data Required for Processing Purchases:

Mandatory Data – information necessary to process and deliver the client's order, including name and surname, email address, phone number, delivery address, and the order itself.

Optional Data – clients may choose to provide additional information such as a photo, date of birth, another phone number, or multiple delivery addresses.

Facebook Services Activation: If clients log in via their Facebook account, Facebook provides us with data such as their name and email address. Clients can terminate this data sharing at any time through their Facebook profile management.

Additional Data for Some Services: Clients may be asked to provide additional personal data (e.g., a copy of an ID card) for identity verification or to assess their ability to pay for the goods.

Marketing Campaigns

We may process personal data for marketing campaigns or to fulfill contracts and combine this data.

If personal data is transferred to another entity, we will inform clients in advance, including who will receive the data. Similarly, if another entity transfers clients' personal data to us, the clients must be informed in advance.

Third Party Data:

If clients provide us with personal data of third parties, it is their responsibility to inform those individuals and ensure their consent to these privacy conditions.

Further Information:

For example, if a client buys goods from us but does not want to collect them or make a complaint, they can designate authorized persons in their user profile to do so on their behalf, thus providing us with their personal data.

We may automatically collect certain information about clients when they visit our website, such as IP address, date and time of access, browser information, operating system, or language settings. We may also process information about clients' behavior on our website. This information is anonymized for maximum privacy. If clients access our website via a mobile device or one of our mobile apps, we may also process information about that device (e.g., phone data, app crash logs).

Reasons for Collecting and Processing Personal Data

Purchasing Goods and Services:

Primarily, we process personal data to properly process and deliver the client's order.

Customer Care:

If clients contact us with questions or problems, we need to process their personal data to respond or resolve the issue. In some cases, personal data may be shared with third parties (e.g., delivery services).

Marketing Activities:

Email Marketing: We send commercial emails based on client consent. Clients can unsubscribe from these emails at any time.

Telemarketing: We make marketing calls to offer our goods and services. The legal basis for processing the client's phone number is either their consent or our legitimate interest in conventional direct marketing. Clients can object to this processing.

Marketing Competitions: Winners of competitions may be photographed or filmed to increase transparency. This is based on our legitimate interest in enhancing the credibility and attractiveness of our competitions. Clients can object to this processing.

Improving Our Services:

By using clients' order history and website behavior, we can offer more relevant product recommendations. We may display products directly suited to the client's needs and interests in certain areas.

Customer Reviews of Goods and Services:

After purchasing goods from us, clients may be asked to review them. Reviews can also be submitted voluntarily.

Exercising Rights and Legal Claims and Public Authority Controls:

We may process personal data to exercise our rights and legal claims (e.g., in case of unpaid claims against clients). Personal data may also be processed to comply with public authority controls and other similarly significant reasons.

Legal Bases

Contract Conclusion and Performance:

We need a large portion of personal data to conclude a purchase or other contract for goods or services that clients want to buy from us. Once the contract is concluded, we process the personal data to properly deliver the purchased goods or services. Thus, we primarily process billing and delivery data based on this legal basis.

Consent:

We process personal data for sending commercial emails (email marketing) and telemarketing based on client consent. If clients do not give consent, we may still send commercial emails (or make telemarketing calls) without consent. Any consent given is voluntary and can be withdrawn at any time, which does not affect the lawfulness of processing before its withdrawal. Clients can always prohibit such marketing communication from us. We may also ask for consent when we need to verify the client's ability to pay for goods provided without full upfront payment.

Legitimate Interests:

We also use personal data to provide clients with relevant content offers. We process personal data collected automatically based on our legitimate interest. For the same reason, we may send clients email and SMS messages.

Special Actions, Collections:

For special actions and collections that clients participate in through us, such as choosing to donate an amount to a charitable organization when paying, we may provide clients' contact information to that organization so they can thank the client for their support. We will always ask the client in advance if they want their personal data provided to a specific organization or remain anonymous.

Disclosing Personal Data to Third Parties

We disclose personal data to third parties for the following reasons:

Delivery of Goods:

The delivery person cannot deliver the ordered goods without the necessary data. We provide the courier with the information entered in the order. This includes the client's name, delivery address, phone number, and possibly the amount to be paid upon receipt if the goods were not prepaid. The courier can only process these data for delivery purposes and must delete them immediately afterward.

Delivery of Goods Stored by a Contractual Partner:

If the client orders goods stored in our contractual partner's warehouse, we must provide their personal data to complete the order. This includes the client's name, delivery address, phone number, and possibly the amount to be paid upon receipt if the goods were not prepaid. The contractual partner must provide this information to the courier, who will deliver the goods. Both the contractual partner and the courier can only use these data for storage/delivery purposes and must delete them immediately afterward.

Payment Cards:

We do not have data on payment cards used to pay for goods. Only the secured payment gateway and the respective banking institution have these data. If clients store their payment card for faster future purchases, we only have basic information, such as a few digits of the card number. Clients can delete this information anytime.

Analytical and Advertising Services:

For sending commercial messages (e.g., emails or SMS) or telemarketing, we may use third parties. These parties are bound by confidentiality and cannot use the client's personal data for any other purpose. We may also work with partners who provide analytical and advertising services. They help us understand how clients use our website, place our ads online, and measure their performance. These companies may use cookies and similar technologies to collect data about your interaction with our services and other sites.

Government Authorities and Damage Prevention:

We may retain or disclose clients' personal data to comply with legal obligations, state or other authorities' requirements, exercise our claims or defend in proceedings. Categories of third parties include courts, state authorities supervising our activities, dispute resolution authorities, and our legal and accounting advisors and auditors.

Personal Data Protection

In line with current legislation, we take all necessary security, technical, and organizational measures to protect clients' personal data. Electronic data is stored in a protected database on our server or one dedicated to us. We protect this database from damage, destruction, loss, and misuse. We strive to use security measures that, considering current technology, provide adequate protection. These security measures are regularly updated. For more information about data security, clients can contact our Data Protection Officer specified at the beginning of this document.

Personal Data Retention Period

We process personal data for the entire duration of the contractual relationship between us and the client. For data processed with client consent, the data will generally be processed for 7 years or until the consent is withdrawn. We must process personal data necessary for the proper provision of goods or services, or for fulfilling our obligations from the contract or legal regulations, regardless of the client's consent, for the period set by applicable laws (e.g., tax documents must be retained for at least 10 years).

Personal Data of Individuals Under 16

Our online store is not intended for children under 16. An individual under 16 can use our online store only with consent from their legal guardian.

Client Rights Related to Personal Data Protection

Clients have the right to withdraw their consent to personal data processing, correct or supplement their personal data, request restriction of their processing, object or complain about personal data processing, access their personal data, request data portability, be informed about data breaches, and under certain conditions, request data deletion, as specified below.

If clients believe their personal data is incorrect, they can contact us at info@ioy.click or in writing at the company's registered address.

Right to Information:

Clients have the right to access information regarding their personal data:

  • The purposes of processing their personal data
  • Categories of personal data concerned
  • Recipients of their personal data
  • Planned retention period of their personal data
  • Their right to request correction or deletion of their personal data or restriction of processing, or to object to this processing
  • Information about the data source if not collected from the client

Right to Deletion:

Clients can request data deletion, except for data on documents we must retain by law (e.g., invoices). If we need the data to establish, exercise, or defend our legal claims, we may refuse the deletion request (e.g., in case of unpaid claims or ongoing complaint procedures).

Note that the main payment card information is not stored by us but by our payment gateway, so these data cannot be deleted by us and must be addressed with the payment gateway.

Other Cases for Deletion:

  • The personal data is no longer needed for the purposes it was processed
  • Withdrawal of client consent and no other legal reason for processing
  • Client objection to data processing and their interest outweighs our interest in processing
  • Personal data processed unlawfully
  • Legal obligation to delete the data
  • Data of children under 16 years

Right to Object:

If clients have specific reasons, they can object to the processing of their personal data based on our legitimate interest. They can send this objection to info@ioy.click or in writing to the company's registered address.

Restriction of Processing:

If clients (a) dispute the accuracy of personal data, (b) data is processed unlawfully, (c) we no longer need the data but clients need it to establish, exercise, or defend legal claims, or (d) object to processing, they have the right to restrict the processing. In this case, we can process personal data only with their consent (except for storing or backing up data).

Submitting Complaints:

If clients believe their personal data is processed unlawfully, they have the right to submit a complaint to the Data Protection Authority. However, we prefer to resolve problems directly. Clients can contact us at info@ioy.click or in writing at the company's registered address.

These Data Protection Conditions and their parts are valid and effective from 01.01.2021, and are available electronically at www.ioy.sk.