Protecția datelor cu caracter personal
This document contains information in accordance with Article 13 GDPR related to personal data processing by the controller, Zajo Design s.r.o., which processes personal data of customers and visitors to www.zajo.com in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”), and Act No. 18/2018 Coll. on personal data protection, amending certain acts, as amended (hereinafter referred to as “Act”). Information is provided to data subjects in a transparent, understandable and easily accessible manner. The controller does not have to designate a responsible person in accordance with the Act and GDPR.
A data subject is any natural person whose personal data are processed.
Personal data are any information related to an identified or identifiable natural person.
The controller undertakes to treat and use the personal data of data subjects in accordance with the applicable legislation of the Slovak Republic, especially the Act and GDPR.
DETAILS OF THE CONTROLLER
Business name: Zajo Design s.r.o.
Registered office: 29. augusta 1646/6, 924 01 Galanta
ID: 51 695 529
Commercial Register: Commercial Register of the Trnava I District Court, section: Sro, insert. no. 42182/T
Represented by: Juraj Králik, Executive
Contact person: Daniel Meliška
Email: [email protected]
Tel.: +421 918 654 285
(hereinafter referred to as “Controller”)
CATEGORIES, PURPOSE AND LEGAL BASIS OF PERSONAL DATA PROCESSING
The Controller processes personal data to the necessary extent according to the following categories:
3.1 Purchase of goods from the online store
If you purchase from the online store, providing personal data is necessary for the conclusion and performance of the purchase contract, delivery of goods, handling of complaints/returns, and communication. Without providing personal data, it is not possible to process the order properly. The customer acknowledges that the Controller processes the personal data of the data subject in its own information system. The data subject provides personal data to the Controller voluntarily and freely for the purpose of meeting its obligations arising from the purchase contract. The data subject is responsible for ensuring that the personal data provided is correct, accurate and up to date. The Controller is not liable for damage caused by incorrect or outdated data provided by the data subject.
Processed data: Name and surname, delivery address and/or billing address, telephone number, email address, order details (goods, sizes, price, shipment and payment method), order-related correspondence, warranty claim / contract withdrawal documentation. For payments by bank transfer, the bank account number of the customer (if the customer provides it in the payment details) and/or the bank account number for a refund in the event of contract withdrawal or warranty claim may be processed. For payments via payment gateways, the Controller does not typically process all payment card details; these are processed by the relevant payment service provider.
Purpose: conclusion and performance of the purchase contract, pre-contractual arrangements, purchaser identification, tax document issuance, goods delivery, warranty claim / goods return handling, customer correspondence.
Legal basis: contract performance (Article 6(1)(b) of GDPR).
3.2 Legal obligations (accounting and taxes)
The Controller also processes the personal data of the data subject for the purpose of compliance with its legal obligations related to accounting, taxes and associated record-keeping. This mainly includes the processing of data stated on tax documents (e.g. invoices) and other accounting and records-related data necessary for proper accounting, document archiving and proving compliance with obligations towards the relevant public authorities (e.g. the tax authority). The provision of such data is necessary to the extent required by law. The Controller is also authorised to process personal data necessary for proving, exercising and defending legal claims and for protecting system security.
Processed data: Tax document data, accounting and records-related data
Purpose: tax document issuance and records, accounting, compliance with legal obligations.
Legal basis: compliance with legal obligations (Article 6(1)(c) of GDPR).
3.3 Direct marketing (newsletter, offers, discounts)
(A) Direct marketing on the basis of consent (opt-in):
The Controller processes the personal data of data subjects for the purpose of informing the data subject about the Controller's products, discount campaigns, sending the newsletter or other marketing communication by means of automatic calling and communication systems without human intervention, e.g. by email and/or SMS, which is considered direct marketing, after obtaining the clear and voluntary consent of the data subject. The data subject expresses his or her consent to personal data processing for the purpose of direct marketing by entering his or her email address and then clicking the “SUBSCRIBE” button at the bottom of the Controller’s web page and ticking the relevant box to express consent when ordering goods from the online store www.zajo.com, when registering on www.zajo.com or by other appropriate means. The data subject has the right to withdraw his or her consent to personal data processing for the purpose of direct marketing at any time after it is granted, and the Controller shall immediately stop the personal data processing for this purpose, and the personal data shall be erased from the direct marketing information systems, taking into account the data subject’s right to be forgotten. This is without prejudice to the Controller’s obligation to keep a durable medium on which the demonstrable consent of the data subject is recorded for a period of at least four years from the withdrawal of consent by the data subject (keeping proof of consent to a minimum extent).
Processed data: Name and surname, home address or correspondence address, telephone number, email address
Purpose: sending the newsletter, information on products, special offers, discounts, news.
Legal basis: consent (Article 6(1)(a) of GDPR).
Unsubscribing: via the unsubscribe link in an email or by email: [email protected].
(B) Direct marketing for existing customers (soft opt-in):
The Controller is authorised to process the personal data of the data subject as the recipient of electronic mail, the SMS service or the MMS service without its separate consent for the purpose of direct marketing of the Controller’s own similar goods and services (soft opt-in), if the Controller has obtained the contact details of the data subject in connection with the sale of similar goods or services, or if it is direct marketing addressed to published contact details of a participant or user who is a sole trader or a legal person. The data subject has the right to reject the use of his or her personal data for such purposes at any time, simply and free of charge, with each message received. The data subject has the option to reject direct marketing when entering his or her email in the order.
Processed data: Name and surname, home address or correspondence address, telephone number, email address.
Purpose: sending the newsletter, information on products, special offers, discounts, news.
Legal basis: legitimate interest (Article 6(1)(f) of GDPR).
Unsubscribing: via the unsubscribe link in an email or by email: [email protected].
3.4 Customer account, loyalty programme, personalised offers
If you create a customer account in the Controller’s online store or join a loyalty programme, the Controller processes your personal data for the purpose of creating customer account messages, simplifying further purchases, recording your orders, providing loyalty benefits and personalising offers according to your preferences and history of purchases. The data subject provides personal data to the Controller voluntarily and freely, and declares that all the personal data provided are accurate and up to date. The data subject acknowledges that consent to personal data processing (if it is the legal basis) may be withdrawn at any time, without this affecting the lawfulness of any processing carried out prior to withdrawal.
Processed data: Name and surname, home address or correspondence address, telephone number, email address, login credentials and customer account settings, purchase and preference data (e.g. history of orders).
Purpose: customer account creation and administration, simplification of further purchases, provision of loyalty benefits, order personalisation.
Legal basis: contract performance (Article 6(1)(b) of GDPR) – customer account creation and administration, consent / account settings (Article 6(1)(a) of GDPR) – personalised offers, legitimate interest (Article 6(1)(f) of GDPR) – account security and customer experience enhancement (e.g. overview of orders).
3.5 Satisfaction / public opinion surveys
The Controller may contact the data subject for the purpose of conducting a satisfaction / public opinion survey, particularly with the aim of obtaining feedback and goods reviews, and evaluating the standard of services and their subsequent improvement. As part of the survey, the Controller may process the personal data of the data subject and the responses provided in the survey. The data subject’s participation in a survey is voluntary and the data subject is not obliged to provide responses; refusing to participate or not completing a survey does not affect the possibility to use the Controller’s services or purchase goods. If the legal basis of processing is consent, the data subject acknowledges that consent to personal data processing may be withdrawn at any time, without this affecting the lawfulness of any processing carried out prior to withdrawal.
Processed data: Name and surname, home address or correspondence address, telephone number, email address, survey responses.
Purpose: obtaining feedback, services improvement.
Legal basis: consent (Article 6(1)(a) of GDPR) for data subjects without registration and legitimate interest (Article 6(1)(f) of GDPR) for data subjects without a customer account.
3.6 Technical data and cookies
When visiting the Controller’s website, technical data obtained through cookies may be processed. Cookies are small text files that are stored on the data subject’s device and enable the website to function properly, remember certain settings and improve user comfort. Personal data processing through cookies that are necessary for the basic functionality of the website is carried out on the basis of the data subject’s consent in accordance with (Article 6(1)(a) of GDPR. The data subject acknowledges that it may withdraw his or her consent or change his or her cookies settings at any time through the relevant settings on the website or the settings of his or her web browser.
Processed data: IP address, device identifiers and cookies.
Purpose: according to the type of cookies – ensuring the proper functionality of the website, improvement of its performance, website traffic measurement, marketing.
Legal basis: consent (Article 6(1)(a) of GDPR)
3.7 AI chatbot (product selection advice, customer support)
The Controller provides an AI chatbot on its website, used to (i) answer customer questions, (ii) help with product selection, and (iii) improve customer experience. The data subject may voluntarily enter information into the chatbot which may contain personal data (e.g. gender, size, preferences, contact details or order information). The AI chatbot is not used for automated decision-making with legal effects in accordance with Article 22 of GDPR.
Processed data: chat communication content (entered text), technical data (IP address, device identifiers, logs), or data related to the purchase/account, if the user provides them or if the chatbot is linked to the account (e.g. order status).
Purpose: handling customer questions and requests, recommending suitable products based on specified parameters, preventing misuse and ensuring functionality.
Legal basis: contract performance / pre-contractual arrangements (Article 6(1)(b) of GDPR, if the chatbot is used for handling questions related to the purchase, order, warranty claim, availability, delivery; legitimate interest (Article 6(1)(f) of GDPR) in improving customer support and security.
!!! Advice: Do not enter personal data into an AI chatbot which are not necessary for the handling of your request, especially special categories of personal data (e.g. health data) or other sensitive information. !!!
PERSONAL DATA PROCESSING (RETENTION) PERIOD
The Controller retains the personal data of data subjects for no longer than the period necessary to achieve the purpose of the personal data processing in line with the principle of retention period minimisation, or for a period specified in a specific case by a generally binding legal regulation or this document.
If the purpose is the purchase of goods, then for the period of the contractual relationship and subsequently for the period necessary for exercising and defending legal claims (typically until the expiry of the warranty period for the goods), generally for a period of 5 years from the conclusion of the contract (this period may be appropriately extended in certain circumstances – warranty claims / legal disputes or legal archiving obligations).
In the case of personal data processing for which consent has been granted, the personal data of the data subject will generally be processed for a period appropriate to the purpose of the personal data processing, for a maximum of 5 years from the date of consent or until such consent is withdrawn. The data subject may withdraw his or her consent to personal data processing at any time in writing, by sending an email to [email protected] or by clicking the relevant link. The consent shall expire without undue delay upon delivery of the data subject’s consent withdrawal to the Controller and the personal data shall subsequently be erased.
In the case of direct marketing based on the data subject’s consent (opt-in), until such consent is withdrawn by the data subject, and in the case of direct marketing of own similar goods and services based on the Controller’s legitimate interest (soft opt-in), for one year from the termination of the contractual relationship between the Controller and the data subject. This does not limit the Controller's obligation to archive the record of consent granted by the data subject.
If the data subject and/or potential customer grants consent to personal data processing during registration, when his or her customer account is created on the Controller's website, the Controller shall retain the personal data for the period of the existence of the relevant customer account of the data subject, and the data subject has the right to request the erasure of the customer account, whereby the data subject’s registration will be cancelled and his or her personal data will be erased for the given purpose.
The Controller retains personal data processed on the basis of legitimate interest for the period necessary to achieve the purpose of processing. The appropriateness of this period shall be reviewed regularly with respect to the nature of the purpose, the scope of the processed data and the reasonable expectations of the data subject. The data subject has the right to object to the personal data processing at any time for reasons related to his or her specific situation.
PERSONAL DATA ERASURE
The data subject may request the erasure of personal data at any time in situations where there is no legitimate reason for further processing. The Controller shall comply with the request if it turns out that the data have been processed unlawfully or shall erase them in accordance with the relevant legal regulations. The Controller notes that there may be specific legal reasons that may prevent the Controller from performing the erasure (e.g. legal obligations, defense of legal claims); in such a case, the Controller shall inform the data subject.
You can send your request for the erasure of personal data to: [email protected]
PERSONAL DATA ERASURE
The data subject has the following right in relation to the Controller:
- to request access to personal data (Article 15 of GDPR) – the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, to what extent. At the same time, if they are processed, it has the right to learn about their content and request information from the Controller about the reason for their processing;
- to obtain a copy of the personal data being processed (Article 15 of GDPR) – subject to the condition that the right to obtain a copy of the personal data being processed does not adversely affect the rights and freedoms of others;
- to personal data rectification (Article 16 of GDPR) – the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her, or the right to have incomplete personal data completed, including by means of providing a supplementary statement;
- to personal data erasure (Article 17 of GDPR) – the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay where one of the legal grounds applies;
- to restriction of personal data processing (Article 18 of GDPR) – the right to obtain from the Controller restriction of personal data processing where one of the legal grounds applies;
- to notification of rectification or erasure (Article 19 of GDPR) – if the Controller rectifies, erases or restricts processing, it shall communicate it to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort;
- to personal data portability (Article 20 of GDPR) – the right to receive the personal data concerning the data subject, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller, if all legal conditions are met;
- to object to personal data processing (Article 21 of GDPR) – the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions of GDPR;
- the right not to be subject to a decision based solely on automated processing, including profiling which produces legal effects (Article 22 of GDPR), if this method of processing was used;
- to withdraw consent to personal data processing (Article 7 of GDPR) – the data subject is entitled to withdraw his or her consent at any time in whole or in part, without this affecting the lawfulness of processing based on consent before its withdrawal. Partial withdrawal of consent to personal data processing may be related to a specific type of processing operation, while the lawfulness of personal data processing related to other processing operations remains unaffected. Partial withdrawal of consent to personal data processing may be related to a specific purpose of personal data processing, while the lawfulness of personal data processing for other purposes remains unaffected. The data subject may exercise the right to withdraw consent to personal data processing in writing to the address of the Controller's registered office or electronically by electronic means (by sending an email to the Controller's email address specified in the identification of the Controller in this document);
- to initiate proceedings or lodge a complaint with a supervisory authority (Article 77 and 78 of GDPR) – the data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes GDPR, without prejudice to any other administrative or judicial remedy. The data subject has the right to require the supervisory authority with which the complaint has been lodged to inform him or her, as the complainant, on the progress and the outcome of the complaint including the possibility of a judicial remedy in accordance with Article 78 of GDPR. The supervisory authority in the Slovak Republic is the Office for Personal Data Protection of the Slovak Republic, with its registered office at Námestie 1. mája 18, 811 06 Bratislava, Slovak Republic, email: [email protected], tel. +421232313214, website: https://www.dataprotection.gov....
PERSONAL DATA PROCESSORS AND RECIPIENTS
The Controller may disclose the personal data of the data subject only to the necessary extent, in accordance with the Act and GDPR, to the following categories of recipients:
(A) Transport and delivery of goods – e.g. Packeta, GLS, DPD, Slovak Parcel Service (SPS), Slovenská pošta
(B) Payment services (depending on the selected payment method) – payment services providers VÚB ePlatby, TatraPay, SporoPay, Edenred, Apple Pay, Google Pay, PayPal
(C) Marketing/analytical tools – e.g. web analytics tools, tag management, advertising platforms, A/B testing)
(D) IT/hosting/online store operation, accounting, consultants and support
(E) The Controller’s bodies and persons performing work in an employment or similar relationship for the Controller
(F) Courts, law enforcement authorities and other administrative authorities
The Controller does not sell or provide personal data for separate purposes of third parties, and discloses them to third parties only to the necessary extent for the exercise of its rights and obligations or as permitted by law. The data subject acknowledges that, for the purpose of performing the purchase contract, the Controller has provided the personal data of the data subjects to the following persons as processors for further processing, but only after fulfilling the obligations arising for the Controller from the Act and GDPR, especially in connection with verifying that, when selecting the processor, the Controller took into account its professional, technical, organisational and personnel-related competence and its ability to guarantee the security of the personal data being processed and to ensure the protection of the rights of the data subjects. The Controller has concluded contracts with processors for personal data processing within the meaning of Article 28 of GDPR.
Specific processors (current):
- FREE Company s.r.o., with registered office at Diaľničná cesta 6, 903 01 Senec, ID: 47 976 292, Commercial Register of the Bratislava III Municipal Court, Sro, insert no. 104976/B;
- FIN-CONSULT, spol. s r.o., with registered office at Štefániková 103, 921 01 Piešťany, ID: 36 248 428, Commercial Register of the Trnava District Court, Sro, insert no. 13386/T;
- Dexfinity s.r.o., with registered office at Gagarinova 7/A, 821 03 Bratislava, ID: 47 801 379, Commercial Register of the Bratislava III Municipal Court, Sro, insert no. 99338/B;
- Quality Unit, s. r. o., with registered office at Vajnorská 100/A, 831 04 Bratislava - Nové Mesto, ID: 35 908 301, Commercial Register of the Bratislava III Municipal Court, Sro, insert no. 33895/B;
TRANSMISSION OF PERSONAL DATA ABROAD
Processing takes place primarily in the EU/EEA. The Controller may process data within the EU/EEA without specific restrictions. If data are transmitted to third countries outside the EU/EEA (typically for certain marketing/analytical tools), the Controller shall ensure that the transmission is only carried out in accordance with GDPR (e.g. adequate safeguards) and typically only after consent has been granted for the given cookies.
AUTOMATED DECISION-MAKING AND PROFILING
The Controller does not process personal data based on automated individual decision-making. Profiling for marketing purposes (personalised offers, advertising) is performed only according to the settings and typically based on consent in cookies or based on legitimate interest in the internal segment of the loyalty programme (without legal effects).
COOKIES
The Controller uses cookies on the website www.zajo.com to ensure the proper functioning of the website, to improve its performance, to measure traffic, to personalise content, and for marketing purposes. Analytical and marketing cookies are stored and used only after the data subject has granted his or her consent via the cookie bar. Cookies are small text files stored on your device (computer, mobile phone, tablet) that enable your device to be recognised and certain information about your visit to be remembered (e.g. language settings, shopping cart contents, login).
CATEGORIES OF COOKIES AND LEGAL BASIS
The Controller distinguishes the following categories of cookies:
- Essential (technical/functional) cookies
- Purpose: essential for ensuring the basic functionality of the website (e.g. shopping cart, login, security, preferences related to your selection in the cookie bar).
- Legal basis: processing is necessary for the functioning of the website and the provision of the service you have requested (these cookies cannot be disabled in the cookie bar).
- Functional cookies
- Purpose: significantly improve the browsing experience, remembering user settings (e.g. language, region, display).
- Legal basis: consent granted via the cookie bar.
- Analytical/statistical cookies
- Purpose: measuring website traffic and behavior, improving functionality and content (e.g. website traffic, clicks, traffic sources).
- Legal basis: consent granted via the cookie bar.
- Marketing cookies
- Purpose: customising price quotations and advertisements for users, displaying and evaluating advertisements, remarketing, measuring campaign success.
- Legal basis: consent granted via the cookie bar.
HOW TO GRANT, REJECT OR WITHDRAW CONSENT
When you visit the website for the first time, a cookie bar will appear, where you can:
- accept all cookies;
- reject all optional cookies;
- or adjust the settings for each category.
You can withdraw or change your consent at any time by clicking the "Cookie settings" link on the website: www.zajo.com/sk/cookies. Withdrawal of consent does not affect the lawfulness of processing prior to its withdrawal.
LIST OF COOKIES, TOOLS AND RETENTION PERIOD
A specific list of cookies used, tool names and providers is available in "Cookie Settings".
The storage period for cookies depends on the type of cookie:
- session cookies – deleted after the browser is closed;
- persistent cookies – remain stored for a certain period or until they are deleted in the browser.
RECIPIENTS AND TRANSMISSIONS ABROAD FOR COOKIES
If you enable analytical or marketing cookies, the data may be disclosed to the providers of these tools (e.g. operators of analytical/marketing platforms) as recipients or processors. Some tools may involve the transmission of personal data to countries outside the EU/EEA. In such a case, the Controller shall ensure that the transmission is only carried out in accordance with GDPR (e.g. on the basis of appropriate safeguards) and typically only after consent has been granted to the relevant cookies.
WEB BROWSER SETTINGS
You can also control cookies through your web browser settings (blocking, deleting cookies). Please note that blocking essential cookies may affect the functionality of the website (e.g. shopping cart, login).
FINAL PROVISIONS
The Controller has taken appropriate technical and organisational measures to protect personal data.
The Controller may update these terms and conditions; the current version is always available on the Controller's website.
These terms and conditions are valid and effective from 1 February 2026.
Aveți nevoie de ajutor?