Privacy Policy
Effective from: 10. května 2026 / 10 May 2026 / 10 травня 2026
1. Controller
Mini Joy Lab, sole trader (Viktoriia Petrenko), Školská 660/3, 110 00 Praha 1, Česká republika, IČO 24904252.
Designated data-subject contact (Art. 13 GDPR): privacy@minijoylab.cz.
We have not appointed a Data Protection Officer — the obligation under Art. 37 GDPR does not apply.
This site is not directed at children under 15. Under Art. 8 GDPR and § 7 of Act 110/2019, we do not knowingly collect personal data of children under 15 without verifiable parental consent.
2. What we process and why
We process only data necessary to run the shop. We do not profile users for advertising and we do not sell data to third parties.
| Purpose | Data | Legal basis | Retention |
|---|---|---|---|
| Order fulfilment | Name, address, e-mail, phone, order contents | Contract (Art. 6/1/b) | For the contract duration |
| Accounting, tax | Invoices, payment data (no card numbers) | Legal obligation (Art. 6/1/c) | 10 years (VAT Act) |
| User account | E-mail, password hash, order history | Contract (Art. 6/1/b) | Until account deletion |
| Newsletter | E-mail, language | Consent (Art. 6/1/a) | Until unsubscribe |
| Complaints, returns | Order details, communication | Legal obligation / legitimate interest | 4 years |
| Analytics (GA4, Clarity) | IP processed transiently for region detection (not stored alongside event data); on-site behaviour and device identifiers stored | Consent (Art. 6/1/a) | 14 months |
| Functional cookies | Cart ID, session token, language, theme | Contract performance (Art. 6/1/b) | Session up to 12 months |
3. Recipients (processors)
We share data only with carefully selected processors under a Data Processing Agreement (DPA):
- Stripe Payments Europe Ltd. (Ireland) — payments and payment-fraud prevention on the checkout page; limited sub-processing by Stripe Inc., US
- Resend (transactional email)
- Microsoft Azure (hosting; EU North Europe)
- Cloudflare (CDN / WAF)
- Packeta / Zásilkovna, Česká pošta, DHL (shipping)
- Google Analytics 4 (consent only; US transfer under SCCs)
- Microsoft Clarity (consent only)
4. International transfers
If you grant analytics consent, some data is processed in the US by Google (Google Analytics 4) and Microsoft (Clarity). Google Analytics 4 processes the IP address only transiently for region detection and does not store it alongside event data; on-site behaviour and device identifiers are stored. Transfers to Google LLC and Microsoft Corp. rely primarily on the EU–US Data Privacy Framework adequacy decision (Commission Decision (EU) 2023/1795) and, as a fallback, on EU Standard Contractual Clauses (Art. 46 GDPR) with supplementary technical measures. Stripe Payments Europe Ltd. (Ireland) acts as our payments processor; any sub-processing slice received by Stripe Inc. (US) is covered by the same DPF + SCC mechanisms. Transactional emails (order confirmations, receipts, withdrawal acknowledgements) are dispatched through Resend Inc. (US), which receives the recipient name, email address and order details necessary to deliver the message; this transfer relies on the EU–US Data Privacy Framework adequacy decision (Commission Decision (EU) 2023/1795), with EU Standard Contractual Clauses (Art. 46 GDPR) as a fallback safeguard.
5. Your rights
You have the right to:
- access your data (Art. 15)
- rectify inaccurate data (Art. 16)
- erasure ("right to be forgotten", Art. 17)
- restrict processing (Art. 18)
- data portability (Art. 20)
- object to processing (Art. 21)
- withdraw consent at any time — does not affect prior processing
- lodge a complaint with ÚOOÚ, uoou.cz
To exercise your rights, contact privacy@minijoylab.cz. We respond without undue delay and in any event within one month of receipt of the request; this period may be extended by up to two further months where necessary, taking into account the complexity and number of requests (Art. 12(3) GDPR). We will inform you of any such extension within one month of receipt of the request. You can permanently delete your account at /account/security; invoices and orders are retained 10 years for VAT compliance and unlinked from your identity.
6. Cookies
Essential cookies (login, cart, language, theme) are used without consent — the shop does not function without them. Analytics cookies (Google Analytics, Microsoft Clarity) are only stored after your explicit consent in the cookie banner. You can change consent any time via the "Cookie settings" link in the footer.
7. Security
All communication is over HTTPS. Passwords are stored only as bcrypt hashes. The database is hosted in the EU with encryption at rest and in transit. Backups are AES-256 encrypted.
8. Changes
We may update this policy. The current version is always available on this page; we will notify you by email of significant changes.