DRAFT of Privacy Policy update

The company VELKÁ PECKA s.r.o., with its registered office at Karolinská 654/2, Karlín, 186 00 Prague 8, ID No.: 030 24 130, registered in the Commercial Register kept by the Municipal Court in Prague, File No. C 226550 ("Rohlik.cz" or "We"), as the personal data controller, hereby informs you, our customers purchasing goods or using services offered in our e-shop accessible from the web portal www.rohlik.cz or via the Rohlik.cz mobile application ("Rohlik.cz e-shop"), about the processing of personal data described below and about our privacy policy.

If you need any part of the text explained, would like advice, or wish to discuss further processing of your personal data, you can contact us at any time at zakaznici@rohlik.cz or privacy@rohlikgroup.com.

1. SCOPE OF PERSONAL DATA PROCESSING, PURPOSES, PERIOD, AND LEGAL BASIS

In this chapter, we inform you about which personal data we process about you. For your convenience, we have divided the chapter according to individual processing processes. For each process, the purpose, categories of processed data, processing period, and the legal basis under Article 6 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") are listed.

1.1 Response to requests, inquiries, suggestions

Purpose of processing

When you contact us with a request, inquiry or suggestion, you may be asked to fill in certain information about yourself or your company. We use the information you provide to us to contact you back and provide you with the information you have requested.

Providing personal data for the purpose of responding to your requests, questions or providing required information is necessary, and the failure to provide it may result in our inability to respond to your request, question or suggestion.

Categories of personal data

• name

• surname

• address

• customer account number

• phone number

• e-mail address

If you are ordering for business purposes, we also process:

• business name

• registered office

• identification number and tax identification number

Legal basis for processing

The legal basis for this processing is our legitimate interest under Article 6(1)(f) of the GDPR, which consists of dealing with your request, inquiry, or suggestion.

Period of processing

For a maximum of 4 years from the settlement of your request, inquiry or suggestion.

1.2 Settlement of the order

Purpose of processing

When you purchase goods in Rohlik.cz e-shop, we need your personal data to conclude and fulfil the contract.

The provision of personal data for the purpose of contract performance is our contractual requirement, and failure to provide it may result in the contract not being concluded.

Categories of personal data

• name

• surname

• address

• phone number

• e-mail address

• information about the goods ordered

• information on the choice of payment method

• payment card information

• additional notes

If you are ordering for business purposes, we also process:

• business name

• registered office

• identification number and tax identification number

Legal basis for processing

This processing is necessary:

a) for the performance of a contract with you, or for the implementation of measures taken prior to the conclusion of a contract at your request under Art. 6(1)(b) of the GDPR,

b) for the fulfilment of legal obligations applicable to us under Art. 6(1)(c) of the GDPR, and

c) the protection of our legitimate interest under Article 6(1)(f) of the GDPR, which consists primarily in the possibility of documenting the essential circumstances of our contractual relationship with you.

Period of processing

We process data necessary for order settlement and the fulfilment of related legal obligations for a period of 10 years from the end of the tax period (calendar month) in which the order was settled.

1.3 Creating and managing a customer account

Purpose of processing

If you create a customer account on the Rohlik.cz e-shop, we process data about your purchases, the use of our services, as well as the personal data you provide about yourself through your account, for the purpose of creating and managing your customer account.

To access your customer account, you may also use access from the social network Facebook, or your Google or Apple account. In such a case, you will not have to fill in your data manually, and we will obtain your personal data—which is necessary for us to properly create a customer account for you—from Meta Platforms, Inc. (Facebook social network), Alphabet Inc. (Google), or Apple Inc. The personal data transmitted to us in this manner will be processed to the extent and for the purposes according to your account settings on social network Facebook or within your Google or Apple account.

In case you make a purchase on the Rohlik.cz e-shop, we will save the data you have entered (primarily name and surname, delivery address, telephone number, and e-mail address) for use in the next purchase so that you do not have to enter them again.

If you fill in a satisfaction questionnaire, market survey, or a questionnaire related to our services, etc., we will process the data you provide in the questionnaire/survey for the purpose of improving the quality of our services. We will add the completed satisfaction questionnaire to your order data after you have made a purchase. Completion of questionnaires/surveys is completely voluntary.

Categories of personal data

• name

• surname

• information on whether age has been verified (18+)

• customer account number

• login details

• e-mail address

• phone number

• address

• purchase history

• device fingerprint

• IP address

• device location

• information regarding membership in loyalty or supplementary customer programs

• questionnaire content

• additional notes

If you are ordering for business purposes, we also process:

• business name

• registered office

• identification number and tax identification number

Legal basis for processing

This processing is necessary for the performance of a contract with you, or for the implementation of measures taken prior to the conclusion of a contract at your request under Art. 6(1)(b) of the GDPR.

We carry out the processing of data obtained through satisfaction questionnaires, market surveys, and questionnaires related to our services based on our legitimate interest under Article 6(1)(f) of the GDPR.

Based on our legitimate interest under Article 6(1)(f) of the GDPR, we also process your personal data that is necessary for the potential defence of our legal claims after your customer account is cancelled.

Period of processing

We process personal data relating to your customer account, including the data contained therein, for the purpose of the establishment and management of the customer account until the account is cancelled and subsequently for a period of 4 years from its cancellation.

If you create a customer account (or log in to it via Facebook, Google, or Apple account) and do not make any purchase with us, we process the data for a period of 5 months from its creation.

1.4 Sending commercial communications

Purpose of processing

To inform you about the goods and services we offer and about ongoing contests we organize, and unless you have refused such communication, we will send you our commercial communications. You have the option to opt out of receiving commercial communications through the communication settings in your customer account as part of the registration process. You can change the settings (granting/revoking consent) in your customer account settings at any time. Due to technical limitations resulting from SMS technology, when sending commercial communications via SMS messages, we will identify ourselves as you know us best, i.e., as “Rohlík” or “Rohlik.cz”.

If you give us your consent, we can prepare special offers for you according to the category of goods you have already purchased from us. In such a case, we will send you commercial communications to your e-mail about our goods and services and those of our partners, taking into account your purchases and preferences or otherwise tailored to select the goods and services that best meet your needs.

Categories of personal data

By e-mail, SMS, push notification:

• name

• surname

• e-mail address

• phone number

By post:

• name

• surname

• address

By telephone (live call):

• name

• surname

• phone number

• call recording

Legal basis for processing

If you are our customer and do not opt out of receiving commercial communications, the legal basis for the processing is our legitimate interest under Article 6(1)(f) of the GDPR, which consists primarily in promoting the sale of our goods and services to our customers and an exemption under Section 7(3) of Act No. 480/2004 Coll. on Certain Information Society Services.

If you are our customer and you refuse to receive commercial communications on the basis of a legitimate interest and then you actively choose the option to receive commercial communications in your customer account settings, the legal basis for the processing is your consent under Article 6(1)(a) of the GDPR. Giving this consent is voluntary and you are not obliged to provide it by any legal regulation. You can withdraw your consent at any time; the withdrawal of your consent does not affect the lawfulness of the processing of your personal data prior to its withdrawal.

Period of processing

We will process personal data for the purpose of sending commercial communications based on legitimate interest (direct marketing) for the duration of our contractual relationship and for a maximum of 12 months after its termination or until you refuse such processing.

We will process personal data for the purpose of sending commercial communications based on your consent until its withdrawal or until the cancellation or deletion of the customer account.

1.5 Satisfaction questionnaires

Purpose of processing

In order to improve the quality of our services, and unless you have refused such communication, we will send you satisfaction questionnaires, market surveys, or other communications related to our services, etc. Completion of questionnaires/surveys is completely voluntary.

Categories of personal data

• name

• surname

• customer account number

• e-mail address

• phone number

• business name (if you are ordering on behalf of a legal entity)

• questionnaire content

Legal basis for processing

If you are our customer and do not opt out of receiving satisfaction surveys, the legal basis for the processing is our legitimate interest under Article 6(1)(f) of the GDPR, which consists of improving our services.

If you are our customer and refuse to receive satisfaction surveys on the basis of a legitimate interest and then actively select this option in the settings of your customer account, the legal basis for the processing is your consent under Article 6(1)(a) of the GDPR. Giving this consent is voluntary, and you are not obliged to provide it by any legal regulation. You can withdraw your consent at any time; the withdrawal of your consent does not affect the lawfulness of the processing of your personal data prior to its withdrawal.

Period of processing

We will process personal data for the purpose of sending satisfaction surveys based on your consent until its withdrawal or until the cancellation or deletion of the customer account.

1.6 Recording telephone calls

Purpose of processing

When you communicate with us by telephone, all our calls are recorded. Call recordings are stored in our internal system and, if you are a customer, are associated with your customer account. The call recordings are primarily used to document the fulfilment of our contractual obligations, to fulfil your requests and to answer your inquiries. If you do not agree to the call recording, please contact us by e-mail.

Categories of personal data

• call recording

Legal basis for processing

This processing is based on our legitimate interest under Article 6(1)(f) of the GDPR, which consists primarily in the possibility of documenting the essential circumstances of our contractual (or other) relationship.

Period of processing

Call recordings are usually stored for a period of 6 months, longer in connection with a specific case (if they are to be used as evidence).

1.7 Sale of tobacco, alcohol, and instant lottery tickets

Purpose of processing

In the event that you purchase alcoholic beverages, instant lottery tickets, tobacco products and e-cigarettes from us, we are obliged under Act No. 65/2017 Coll., on the Protection of Health from the Harmful Effects of Addictive Substances and Act No. 186/2016 Coll., on Gambling, to verify your age. We must thus ensure that, through us, alcoholic beverages, tobacco products, smoking accessories, herbal smoking products or e-cigarettes are not sold to persons under the age of 18. When delivering a purchase containing a tobacco product and/or alcohol and/or instant lottery tickets, the courier is entitled to request proof of identification from the person taking delivery of the purchase. In order to be able to prove the age verification system to the regulatory authorities, the courier enters the information from the identity card into our internal system.

Categories of personal data

• name

• surname

• date of birth

• the last four digits of the ID card number (we do not process the full ID card number)

Legal basis for processing

This processing represents the performance of a legal obligation under Art. 6(1)(c) of the GDPR applicable to us.

Period of processing

We keep the personal data necessary to prove the age verification for the sale of tobacco products and alcoholic beverages for 4 years from the date of the last purchase of tobacco products or alcoholic beverages.

1.8 Conducting marketing analyses and statistics

Purpose of processing

If you give us your consent in the Rohlik.cz e-shop, we will also process the personal data you provide, including your purchase history, for the purposes of conducting marketing analyses and statistics.

Categories of personal data

• name

• surname

• address

• phone number

• e-mail address

• information about the goods ordered

• information on the choice of payment method

• payment card information

• communication with you, including any photos you provide to us (e.g. in the event of a complaint)

• purchase history

• data about browsing Rohlik.cz e-shop

• device fingerprint

• IP address

• information regarding membership in loyalty or supplementary customer programs

Legal basis for processing

This processing is possible only on the basis of your consent under Art. 6(1)(a) of the GDPR. Giving this consent is voluntary, and you are not obliged to provide it by any legal regulation. You can withdraw your consent at any time; the withdrawal of your consent does not affect the lawfulness of the processing of your personal data prior to its withdrawal.

Period of processing

We will process personal data for the purposes of conducting marketing analyses and statistics on the basis of your consent until its withdrawal or until the cancellation or deletion of the customer account.

1.9 Operation of the Rohlíček Club

Information on the processing of personal data of Rohlíček Club members is available in a separate document, which is available in its current version here.

1.10 Customising the content of the Rohlik.cz e-shop

Purpose of processing

Rohlik.cz e-shop uses your customer account number and purchase history to display customised Rohlik.cz e-shop content. The display of customised content simply means that your favourite products are displayed in the first place in each product category to make the purchase easier for you.

The purpose of the processing is to provide the shopping service with as few clicks as possible. Please note that the service of ensuring the purchase with the fewest clicks is an integral part of the Rohlik.cz e-shop. The purpose of displaying personalised content is not to carry out marketing, disseminate advertising or motivate the purchase of specific products.

We have carried out a data protection impact assessment for this processing in conjunction with our Data Protection Officer to verify that this processing, which is intended to provide you with a functional service that saves you time, does not pose any increased risk to your privacy.

Categories of personal data

• customer account number

• purchase history

Legal basis for processing

This processing is necessary for the performance of a contract with you under Art. 6(1)(b) of the GDPR.

Period of processing

For as long as the customer account is active.

1.11 Use of the virtual (AI) assistant Maia

Purpose of processing

If you use our virtual assistant, Maia, to help you select products, give cooking tips and make shopping easier, please note that Maia uses artificial intelligence elements to provide answers. For Maia to be able to provide you with follow-up responses, it stores data on past conversations (usually the last five conversations). Maia does not use the data to improve its algorithms in general, but only to create the best possible answer to your question. However, if you alert the virtual assistant to a wrong answer, it will learn and use this data to try to prevent it from happening again. The Maia virtual assistant is an additional service that you may or may not use - its use is completely voluntary.

Categories of personal data

• name

• surname

• address

• e-mail address

• customer account number

• purchase history

• recording of a conversation, including any photos you provide to us

Legal basis for processing

This processing is necessary for the performance of a contract with you under Art. 6(1)(b) of the GDPR.

Period of processing

For as long as the customer account is active and subsequently for 4 years from its cancellation.

1.12 Public collections

Purpose of processing

If you participate in a public collection to which you can contribute on our Rohlik.cz e-shop, we are entitled to disclose your data to the organizer of the public collection in accordance with Act No. 117/2001 Coll., on public collections. We will always inform you about the organiser of the collection in connection with your contribution to the relevant public collection.

Categories of personal data

• name

• surname

• address

• amount of donation

Legal basis for processing

This processing represents the performance of a legal obligation under Art. 6(1)(c) of the GDPR applicable to us.

Period of processing

If you contribute to a public collection facilitated by us (i.e., where we are involved to support its implementation), we usually process your personal data for a period determined by the nature of the collection and applicable legal regulations (at least 5 years under the Accounting Act, and up to 10 years for tax purposes).

1.13 Referral program

Purpose of processing

If you participate in the "Referral Program", it is necessary to process some of your personal data. The program is a free-of-charge bonus program that allows all customers with an active account to receive a reward for shopping at the Rohlik.cz e-shop. You will receive a reward for referring new customers, and the person you bring will also receive a benefit. Participation in the program and the provision of personal data for the purposes of the program is voluntary, but without their processing, it is not possible to ensure your participation in the program.

Categories of personal data

• name

• surname

• customer account number

• phone number

• e-mail address

• purchase history

• device fingerprint

• device IP address

• information about links used

Legal basis for processing

This processing is necessary for the performance of a contract with you under Art. 6(1)(b) of the GDPR on participation in the Referral Program and in accordance with the Referral Program’s Terms and Conditions.

Period of processing

Personal data will be processed automatically and securely in electronic form for the period necessary to organize the scheme, verify fulfilment of the scheme conditions, and any review by public authorities, but no longer than three (3) years after the end of participation in the Referral Program, unless a longer period is required by law (for example, in connection with accounting).

1.14 "Rohlik Xtra" Program

Purpose of processing

If you use the paid membership under the Terms of Xtra Membership Service, we process your personal data for the purpose of ensuring the operation of the paid membership, i.e. for the purpose of providing above-standard services.

Categories of personal data

• name

• surname

• customer account number

• address

• phone number

• e-mail address

• information about the goods ordered

• information on the choice of payment method

• payment card information

• information about your use of Xtra benefits

Legal basis for processing

This processing is necessary for the performance of a contract with you under Art. 6(1)(b) of the GDPR on the provision of Xtra membership.

Period of processing

For as long as your membership in the program is active.

1.15 "Rohlik Barrier-Free" Club

Purpose of processing

If you are a member of the Rohlík Barrier-Free club, the courier delivering your first purchase will verify your eligibility for Club membership in one of the following ways:

a. for seniors – by visually confirming your age or checking an official ID (identity card or passport),

b. for disability card holders – by checking a valid ZTP, TP, or ZTP/P card or another document proving a medical condition.

We do not store any data from the documents presented during this verification. The courier simply confirms to our customer support team that the eligibility was verified, and this confirmation is recorded in our system. Rohlik Barrier-Free terms and conditions are available here.

Categories of personal data

• date of birth

• expiry date of ZTP, TP, or ZTP/P card or another document proving a medical condition

Legal basis for processing

This processing is necessary for the performance of a contract with you under Art. 6(1)(b) of the GDPR on participation in the club.

Period of processing

One-time verification.

1.16 Complaints

Purpose of processing

For the purpose of handling complaints, it is necessary to process your personal data. In this context, in addition to information about the ordered goods, we also use the content of our related communication, including any photos you provide to us, and your purchase history.

Categories of personal data

• name

• surname

• customer account number

• address

• phone number

• e-mail address

• information about the goods ordered

• information on the choice of payment method

• payment card information

• communication with you, including any photos you provide to us (e.g. in the event of a complaint)

• additional notes

If you are ordering for business purposes, we also process:

• business name

• registered office

• identification number and tax identification number

Legal basis for processing

This processing is necessary for the performance of a contract with you under Art. 6(1)(b) of the GDPR on the use of the Rohlik.cz e-shop and the fulfilment of legal obligations under Art. 6 (1) (c) of the GDPR applicable to us

Period of processing

For as long as the customer account is active and subsequently for 4 years from its cancellation.

1.17 Protection against fraud

Purpose of processing

We process your personal data for the purpose of preventing, detecting, and investigating fraudulent behaviour that could damage our property interests or disrupt the credibility of our services.

For the purpose of addressing fraudulent behaviour, we use, in addition to information about the ordered goods, also the content of our related communication, including any photos you provide to us, and your purchase history.

If you are or have been our customers and we register repeatedly unpaid orders, fraudulent behaviour, or you have in any way significantly damaged us, or similar harm is imminent, we are entitled to refuse to provide you with services and to process your personal data for this purpose.

Categories of personal data

• name

• surname

• customer account number

• address

• phone number

• e-mail address

• information about the goods ordered

• information on the choice of payment method

• payment card information

• communication with you, including any photos you provide to us (e.g. in the event of a complaint)

• history of problematic behaviour (including any necessary documents, e.g. recordings, written communication, camera recordings)

• device fingerprint

• device IP address

• additional notes

If you are ordering for business purposes, we also process:

• business name

• registered office

• identification number and tax identification number

Legal basis for processing

This processing is based on our legitimate interest under Art. 6(1)(f) of the GDPR, which consists in our protection against fraud and on the fulfilment of legal obligations under Art. 6(1)(c) of the GDPR applicable to us.

Period of processing

If we are forced to refuse to provide you with our services, we will retain the data necessary to protect our rights and legally protected claims for a maximum of 4 years.

1.18 Contests

Purpose of processing

We try to design the contests we organize so that participation in the contest is as little burdensome as possible for its participants. In most cases, the customer is automatically entered into the draw after the fulfilment of the conditions of the relevant contest. The drawn winners are invited to accept the prize, which they may, but do not have to, accept.

In the case of drawn winners who have refused to receive commercial communications, only an operational communication is then sent to the winner with information about the drawn prize and with a request to contact us if they are interested in accepting the prize.

Categories of personal data

The scope of processed data varies depending on the type of contest; the following data may be processed:

• name

• surname

• customer account number

• address

• phone number

• e-mail address

• information about the goods ordered

• information on the choice of payment method

• payment card information

If the winner grants us consent, we may process their name and the initial letter of their surname, photo, video recording (or other data for the processing of which they grant consent) for the purposes of informing them about the contest and supporting our business activity, but always only to the extent and for the specific purposes according to the relevant consent.

Legal basis for processing

The processing of the data of the Rohlik.cz e-shop customer in connection with the entry into the contest, and evaluation of their participation in the contest, is based on the performance of a contract under Art. 6(1)(b) of the GDPR on the use of the Rohlik.cz e-shop concluded in accordance with the General Terms and Conditions.

All other possible processes of personal data processing within the framework of contests and the publication of their results are implemented on the basis of consent under Art. 6(1)(a) of the GDPR. Giving this consent is voluntary, and you are not obliged to provide it by any legal regulation. You may withdraw your consent at any time; the withdrawal of consent does not affect the lawfulness of the processing of personal data prior to its withdrawal.

Period of processing

We process personal data in connection with the organisation of contests for no longer than 3 years. This period is based on the general limitation period, within which it is possible to challenge the results of the contest and for which we must be able to prove compliance with legal regulations in the event of an inspection by the relevant supervisory authority (Czech Trade Inspection).

1.19 Rohlik Point self-service box

Purpose of processing

Self-service box (Rohlik Point) may be equipped with camera systems with recording. We operate camera systems at these locations primarily in the interest of ensuring the highest possible safety of persons and property located on the premises of the delivery points and for the purposes of documenting legal actions in connection with the performance of the contract on the use of the Rohlik.cz e-shop. The recording from the camera system is processed in accordance with the GDPR. The recording from the camera system may, in certain cases, be handed over to authorized persons (including the data subject concerned), to law enforcement authorities in the event of suspicion of illegal conduct by persons on the recording, or to state administration authorities in cases stipulated by law; similarly, the recording may be used in civil court proceedings or in the case of proving the fulfilment of a legal obligation.

Categories of personal data

• video surveillance footage

Legal basis for processing

This processing is based on our legitimate interest under Art. 6(1)(f) of the GDPR, which is to protect our legal claims, our business, our staff and the prevention of losses and further on the fulfilment of legal obligations under Art. 6(1)(c) of the GDPR applicable to us.

Period of processing

The processing period varies depending on the location of the camera system and the associated level of risk.

1.20 Marketing consent

Purpose of processing

If you give us your consent to use your data (see below for the specific scope) to tailor our advertising and that of our partners to your interests, you allow us to show you advertising from us and our partners (as defined below) that we believe may be of interest to you. We call such consent “marketing consent”.

If you give us marketing consent, we target and evaluate the success of campaigns based on an analysis of your behaviour using pseudonymized data. Once you have given your consent, we may also use a unique identifier (user ID) to track your behaviour on different websites, browsers, or end devices.

Please note that granting marketing consent is entirely voluntary, and failing to grant consent will not affect our business relationship in any way.

The categories of your personal data (within the scope of the advertising targeting method) are only used to create the so-called audience segments for displaying a specific advertisement according to the parameters we choose (if it is our advertisement) or our partner gives us. The way it all works is based on the data we have available and collected as part of your shopping and movement on the Rohlik.cz e-shop. We include you (via your device) in one of the audiences and display the selected advertisement for you (ours or our partner's). We then use the data on your response to the display of the advertisement for the purpose of evaluating the success of a particular advertising campaign and to increase the effectiveness of targeting/adaptation of advertisements.

Categories of personal data

The specific data that is used for targeting and customisation depends on how the ad is targeted/customised. In most cases, these are the following categories of personal data:

• data about the location in which you are shopping is primarily used for geographic targeting;

• data about your previous purchases, your movements on our e-shop, your favourite product categories, whether you like special offers, how often you shop, what the average value of your order is, whether you are a member of one of our clubs (Xtra, Rohlicek), whether you shop via the website or app, etc. are used for interest and behavioural targeting.

In addition, data on your response to the displayed advertisement (e.g., clicks, conversion to the e-shop, etc.) are processed to evaluate the success of campaigns. We use pseudonymised data for targeting and customisation of advertising. Pseudonymisation is the processing of personal data in which the data can no longer be linked to a specific person without the use of additional information, whereby this additional information is stored separately and is subject to technical and organisational measures to ensure that the data cannot be unlawfully linked to a specific person.

Legal basis for processing

This processing is based exclusively on your consent under Art. 6(1)(a) of the GDPR. You can manage (grant/withdrawal) your marketing consent at any time in the communication centre of your profile on the Rohlik.cz e-shop. Specifically, you can find the communication centre under your initials (the icon on the Rohlik.cz e-shop at the top right), then click on “my account”. On the page that opens, you will find the “communication settings” tab on the left.

Period of processing

If you give us marketing consent, we process your personal data for the period of the consent (i.e., until it is withdrawn) or until the cancellation or deletion of the customer account.

Please note that if you give us your consent, we will include in the processing the full range of data (see categories above) that we hold about you from the beginning of our business relationship.

We will process personal data for the purpose of sending commercial communications based on your consent for as long as you have given your consent. You can refuse the processing of your personal data for the purpose of sending commercial communications at any time, and this will not affect our other relationships. You can opt out of receiving further communications by clicking on the link provided in the commercial communication sent to you, or by sending us an e-mail with the relevant request to zakaznici@rohlik.cz. You can also easily set up how we may contact you and the areas of interest to you through your profile in the 'Communication Settings' section.

1.21 Shopping lists

Purpose of processing

As a user, you can, within the Rohlik.cz e-shop, create a shopping list in your customer account, which serves to facilitate your future shopping, and subsequently share it via a unique link with anyone at your discretion.

Please note that we cannot influence in any way to whom you share the link and how this shared link is further handled. Anyone you make the link to your shopping list available to can access that list and view its content. If you grant them permission, they can also edit the list, i.e., add items, remove them, change the quantity of ingredients, and, of course, also copy the list to their lists or shop with it from their account.

By default, your shopping list is shared under your name and surname (this is the name and surname entered by the user upon registration of the account on the Rohlik.cz e-shop), which cannot be deleted or changed after the link is shared. You can edit the name of the shopping list before creating the link for its sharing. You can delete the shopping list at any time; in such a case, the shopping list will no longer be available even via the link.

Categories of personal data

• name

• surname

Legal basis for processing

This processing is necessary for the performance of a contract with you, under Art. 6(1)(b) of the GDPR, on the use of the Rohlik.cz e-shop.

Period of processing

For the duration of the existence of the customer account and subsequently for a period of 4 years from its cancellation or until the deletion of the relevant list by the user.

2. WHO HAS ACCESS TO YOUR PERSONAL DATA

We only disclose your personal data to authorized employees and cooperating persons or individual data processors or other controllers, but only to the extent necessary for the fulfilment of the individual purposes and on the basis of the corresponding legal title for the processing of personal data. These include, for example:

a. external accounting firms,

b. contracted carriers,

c. law firms,

d. processors who provide us with server, web, marketing, cloud or IT services,

e. companies within the Rohlik Group.

Please be aware that we are part of a group of companies led by Rohlik Group a.s., ID No.: 09960678, with its registered office at Karolinská 654/2, Karlín, 186 00 Prague 8, the Czech Republic (the “Rohlik Group”). All Rohlik Group companies are entirely based in the EU. The sharing of personal data for internal administrative and operational purposes within the Rohlik Group is based on the legal basis of Article 6(1)(f) of the GDPR, i.e. legitimate interest, in accordance with Recital 48 of the GDPR.

2.1 Payment services

We make your personal data available to the appropriate extent to payment services providers according to your chosen payment method. Please note that the payment service provider may be in the position of an independent data controller, and the processing of your personal data for the purpose of initiating payment (enabling payment from your account to our account) or making payment through a payment gateway is then governed by the privacy policy of the respective payment service provider. These policies are available for

a. Apple Pay here,

b. Google Pay here,

c. payment initiation Everifin here,

d. payment gateway provider Adyen here.

2.2 “Pharmacy” section

If you purchase goods from the 'Pharmacy' section, we will transfer your selected data to BENU Czech Republic a.s., based in Prague 10 – Hostivař, K pérovně 945/7, Postal Code 10200, ID No.: 49621173 (“BENU”), to process your order from the pharmacy. This includes information about the products you have purchased in the Pharmacy section, as well as your name and surname, telephone number, e-mail address and address.

BENU is an independent data controller of your personal data within the meaning of the GDPR and also a joint controller with us.

We have entered into an agreement with BENU that regulates data sharing and defines the obligations of both controllers regarding the protection of personal data.

Rohlik.cz, in cooperation with BENU, processes for both controllers data that is necessary for the management of the Rohlik.cz e-shop and the provision of logistics services (e.g. customer/user account, cookies, transport, order status, payment methods).

Each controller then independently processes personal data for purposes that it determines itself. This primarily involves processing of personal data for the purpose of concluding and fulfilling a contract, fulfilling legal obligations (tax or accounting records) and for the purposes of the controller's legitimate interests (e.g. complaints, legal defence) or for marketing purposes.

If you enter your BENU PLUS card number of the BENU PLUS program during the order and/or save it within your customer account on the Rohlik.cz e-shop, BENU and Rohlik.cz will also process your BENU PLUS card number and the information that you are a member of the BENU PLUS program. The purpose of the processing is the possibility of obtaining points credited to your account within the BENU PLUS program for the purchase made.

Information on the processing of personal data by BENU is available here.

2.3 Connection of a client AI assistant

If you use the possibility of connecting your own AI assistant via our MCP server to access data sources and tools on the Rohlik.cz e-shop, you will be exercising your right to data portability (for more information, see Article 5.6 below), and by using this service, your personal data may be made available to you or your chosen AI assistant provider. Please note that any further processing of your personal data made available in this way is not carried out by Rohlik.cz; it is governed exclusively by the processing terms of your chosen AI assistant provider, and Rohlik.cz bears no responsibility for it.

3. RETENTION PERIOD OF PERSONAL DATA

Specific processing periods are set out in Chapter 1 above for individual personal data processing processes. Please note that most personal data is processed for multiple purposes, and the expiry of the processing period for one purpose does not affect the processing period for other purposes. In general, we process your personal data for as long as we provide you with our services or perform a mutual contract, or for as long as necessary to fulfil archiving or other obligations under applicable law, such as the Accounting Act, the Archives and Records Act or the Value-added tax Act.

After the contract has been fulfilled (payment of the price and delivery of the goods), in the case of inactive accounts, we continue to process your personal data for our legitimate interests, which is the protection of our claims, for the necessary period of time, but no longer than 4 years (this period was set with regard to the general limitation period).

We will process personal data that we process on the basis of your consent until you withdraw your consent. To withdraw your consent, simply send an e-mail with the relevant request to zakaznici@rohlik.cz or confirm this choice in the customer account settings.

4. ONLINE SERVICES AND SOCIAL MEDIA

On our website, we use both our own online services and third-party services. Services typically use cookies or similar technologies. Cookies are small text files containing data that can be stored on the user’s device when visiting a website. Further information about Cookies can be found in a separate Cookie Policy, which can be found here.

5. YOUR RIGHTS REGARDING PERSONAL DATA PROCESSING

You have the following rights in relation to the processing of your personal data by us:

a. the right of access;

b. the right to rectification;

c. the right to erasure ("right to be forgotten");

d. the right to restriction of the processing;

e. the right to object to;

f. the right to lodge a complaint about the processing of personal data; and

g. the right to data portability.

Your rights are explained below to give you a clearer idea of their content.

You can exercise all your rights by contacting us at zakaznici@rohlik.cz or privacy@rohlikgroup.com.

5.1 Right of access

You can ask us at any time to confirm whether or not the personal data concerning you is being processed and, if so, for what purposes, to what extent, to whom it is disclosed, how long we will process it, whether you have the right to rectification, erasure, restriction of processing or to object, where we obtained the personal data and whether automated decision-making, including possible profiling, takes place on the basis of the processing of your personal data. You also have the right to obtain a copy of your personal data, the first provision of which is free of charge, and we may charge reasonable administrative costs for further provision.

5.2 Right to rectification

You can ask us to rectify or complete your personal data at any time if it is inaccurate or incomplete.

5.3 Right to erasure ("right to be forgotten")

We must erase your personal data if (i) it is no longer necessary in relation to the purposes for which it was collected or otherwise processed, (ii) the processing is unlawful, (iii) you object to the processing and there are no overriding legitimate grounds for the processing, (iv) we are required to do so by law, or (v) you have withdrawn your consent to the processing of personal data, where it involves data for the processing of which your consent is necessary and at the same time we have no other legal basis for processing why we need to continue processing these data.

Please note that the settlement of the right to erasure is an irreversible process, and after erasure, it is therefore no longer possible to restore the customer account on the Rohlik.cz e-shop or its history in any way.

5.4 Right to restriction of the processing

Until we resolve any issues regarding the processing of your personal data, we must restrict the processing of your personal data so that we can only store it and, where appropriate, use it to establish, exercise or defend legal claims.

5.5 Right to object

You can object to the processing of your personal data that we process for direct marketing purposes or on the grounds of legitimate interest.

If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

If you object to the processing of your personal data based on our legitimate interest and in the event that it is not proven that there is our serious overriding legitimate ground for processing which outweighs your interests or rights and freedoms, your personal data will no longer be processed for these purposes.

5.6 Right to lodge a complaint about the processing of personal data

You can file a complaint with the supervisory authority, which is the Office for Personal Data Protection (https://uoou.gov.cz/).

5.7 Right to data portability

You have the right to obtain personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and the right to transmit those data to another controller, in the event that:

a. the processing is based on consent (Article 6(1)(a) of the GDPR) or on a contract (Article 6(1)(b) of the GDPR); and

b. the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. Data are provided free of charge. However, in the case of repeated, manifestly unfounded and/or excessive requests, such requests may be subject to a fee.

Please note that this right does not apply to the processing of personal data that we carry out in the performance of our legal obligations or based on our legitimate interests.

6. FINAL PROVISIONS

6.1 Contact details of the Data Protection Officer

In case you have any questions regarding the personal data processing, you may contact our data protection officer, who is FairData Professionals a.s. (Mgr. Jaroslav Šuchman, LL.M., Mgr. Ing. Jana Schwartz Duchková) e-mail: privacy@rohlikgroup.com, tel. +420 255 000 376.

6.2 Effectiveness, updates

This privacy policy is written in both the Czech and English versions. In the event of any discrepancies or inconsistencies between the Czech and English versions, the Czech version shall prevail and be deemed the authoritative text.

This Privacy Policy is effective as of May 25, 2018 and is continuously updated.

Last update: January 2026