Privacy Policy (GDPR)

PRIVACY POLICY (GDPR)

1. Introductory Provisions

1.1 This Privacy Policy (hereinafter referred to as the "Policy") describes how the company Beshinari s.r.o., ID No.: 24330833, with its registered office at Varšavská 715/36, 120 00 Prague (hereinafter referred to as the "Controller") processes personal data of natural persons in accordance with:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR),
  • Act No. 110/2019 Coll., on the processing of personal data,
  • related legal regulations of the Czech Republic.

1.2 This Policy applies to the processing of personal data in connection with the operation of the online store available at www.nikotin.cz.

1.3 The Policy applies particularly to:

  • e-shop customers,
  • website visitors,
  • registered users,
  • persons subscribed to commercial communications,
  • persons whose age is being verified (18+).

 

2. Personal Data Controller

Personal Data Controller:
Beshinari s.r.o.
ID No.: 24330833
Registered office: Varšavská 715/36, 120 00 Prague
Registered in the Commercial Register:
File No. C 439498/MSPH, Municipal Court in Prague
Email: info@nikotin.com
Phone: +420 601 131 453

The Controller has not appointed a data protection officer, as this obligation does not arise for them under GDPR.

 

3. What personal data we process

The Controller processes primarily the following categories of personal data:

3.1 Identification and contact data

  • name and surname,
  • billing and delivery address,
  • email address,
  • telephone number.

3.2 Order-related data

  • ordered goods,
  • payment and delivery method,
  • information about order fulfillment,
  • purchase history.

3.3 Age verification data (18+)

  • data necessary for age verification via the Adulto service,
  • information about meeting the age limit of 18 years.

The Controller does not store copies of identity documents.

3.4 Technical and operational data

  • IP address,
  • cookies,
  • device type, operating system and browser,
  • user behavior on the website.

3.5 Marketing data

  • consent to receiving commercial communications,
  • marketing preferences,
  • interaction with marketing communications.

 

4. Purposes of personal data processing

Personal data are processed for the following purposes:

4.1 Contract fulfillment

  • conclusion and fulfillment of the purchase contract,
  • order processing,
  • goods delivery,
  • communication with the customer.

4.2 Fulfillment of legal obligations

  • accounting and tax obligations,
  • obligations arising from the sale of tobacco and nicotine products,
  • document archiving,
  • protection of the Controller's rights.

4.3 Age verification

  • ensuring compliance with legal regulations,
  • prevention of sales to persons under 18 years of age.

4.4 Marketing and business purposes

  • sending newsletters and commercial communications,
  • informing about promotions, discounts, and news,
  • personalization of offers,
  • remarketing and targeted advertising.

 

5. Legal basis for processing

Personal data are processed based on:

  • contract fulfillment in accordance with Article 6 para. 1 lit. b) GDPR,
  • fulfillment of a legal obligation in accordance with Article 6 para. 1 lit. c) GDPR,
  • legitimate interest of the Controller in accordance with Article 6 para. 1 lit. f) GDPR, particularly:
    • direct marketing to existing customers,
    • protection of legal claims,
    • ensuring website security,
    • consent of the data subject in accordance with Article 6 para. 1 lit. a) GDPR.

The legitimate interest of the Controller has been assessed not to override the rights and freedoms of data subjects, and processing is carried out to the minimum necessary extent.

 

6. Marketing Communication

6.1 The Controller is entitled to send commercial communications:

  • based on the data subject's consent,
  • or based on a legitimate interest towards existing customers.

6.2 Each commercial communication includes an option to easily and free of charge unsubscribe.

6.3 The data subject may at any time:

  • withdraw their consent,
  • object to processing for marketing purposes.

 

7. Recipients of Personal Data

Personal data may be disclosed primarily to:

  • carriers,
  • payment providers,
  • accountants and tax advisors,
  • providers of IT, hosting and e-mailing services,
  • marketing and analytical tools,
  • Adulto service (age verification).

Personal data are not transferred to third countries outside the EU, unless explicitly stated otherwise.

 

8. Personal Data Retention Period

The Controller retains personal data for the period strictly necessary to fulfill the processing purposes, particularly:

  • personal data related to orders and accounting documents for 10 years,
  • data processed for contractual fulfillment for the duration of the contractual relationship,
  • marketing data for the duration of consent or until an objection is raised,
  • data processed based on legitimate interest for a maximum of 3 years,
  • technical and analytical data according to cookie settings.

 

9. Rights of Data Subjects

The data subject has the right:

  • to access personal data,
  • to rectification or erasure,
  • to restriction of processing,
  • to object to processing,
  • to data portability,
  • to lodge a complaint with a supervisory authority.

The right to erasure shall not apply to the extent that processing of personal data is necessary for compliance with the Controller's legal obligations.

 

10. Cookies and analytical tools

10.1 The website www.nikotin.cz uses cookies for the purpose of:

  • ensuring website functionality,
  • traffic analysis,
  • marketing activities.

10.2 Marketing and analytical cookies are used exclusively based on user consent.

10.3 Cookie management and granting or withdrawing consent is done via the cookie banner available on the Controller's website.

 

11. Automated decision-making and profiling

The Controller does not carry out automated individual decision-making or profiling within the meaning of Article 22 of the GDPR, which would produce legal effects concerning the data subject or similarly significantly affect him or her.

 

12. Security of Personal Data

The Controller has implemented appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, or damage.

 

13. Dispute Resolution and Supervisory Authority

13.1 In case of questions, objections, or disputes regarding personal data processing, the data subject may contact the Controller via the contact email.

13.2 The data subject has the right to lodge a complaint with the supervisory authority:

Office for Personal Data Protection
Pplk. Sochora 27
170 00 Prague 7
www.uoou.cz

 

14. Final Provisions

14.1 This Policy is valid and effective from 06.01.2026.
14.2 The Controller reserves the right to update this Policy at any time.