Bodybuilding Simplified s.r.o. ("Data Controller" or "Controller") understands that the privacy of each customer or user who visits this website is important. For this reason, the Controller has adopted the rules and measures required by applicable law and will therefore only collect and further process any personal data in the manner and to the extent permitted by applicable law. With this Privacy Policy, the Controller also provides the users or visitors of this website with the information that is obligatory to be provided to them, as well as information on the rights regarding the personal data processed and the possibilities of exercising them.

Contact details of the Data Controller:

Name: Bodybuilding Simplified s.r.o.

the company was established on the basis of and in accordance with the legal system of the Czech Republic

Registered office address: 28. října 810/246, Mariánské Hory, 709 00 Ostrava, Czech Republic

Identification number: 21519021

E-mail: trainerwinny@bodybuildingsimplified.com

The processing of personal data is carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "GDPR") and Act No. 110/2019 Coll., on the processing of personal data, as amended.

1. Definitions

Data subject: the natural person (consumer, self-employed person or natural person acting on behalf of a legal person) to whom the personal data relate (hereinafter also "you" or "customer")

Personal Data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Controller: the company Bodybuilding Simplified s.r.o., or according to GDPR the entity that determines the purpose and means of processing Personal Data, carries out the processing and is responsible for this processing

Website: website available at https://www.bodybuildingsimplified.com

Purpose of the processing of Personal Data: the reason why Personal Data is processed; such reason may be, for example, the performance of the legal obligations of the controller or the performance of a contract, the pursuit of the legitimate interests of the controller or the legitimate interests of third parties, or other reasons under Article 6 of the GDPR

Third countries: countries outside the European Economic Area, which mainly includes the member countries of the European Union and Iceland, Liechtenstein and Norway

2. Personal Data processed and its source

The Controller in accordance with the relevant legal basis and the Purpose of processing Personal Data, primarily in electronic form, process your Personal Data, whereby the Personal Data listed below is processed:

1. Name and surname;
2. Contact details (address, e-mail address);
3. Billing information;
4. Information about the payment method used;
5. Bank connection;
6. Order Note (provided that you provide Personal Data as part of the order);
7. Information you provide to the Data Controller when you communicate;
8. Login to the user account and behavior within the user account (in particular, the data you have entered or generated within the user account, such as purchase history, time of registration, last update of the user profile);
9. Email address (for newsletter subscription purposes);
10. IP address (in case the order is evaluated as fraudulent).

The Data Controller obtain Personal Data directly from you as customers or visitors to the Data Controller's Website, or Personal Data that you generate by your own activity on the Website, or Personal Data that you provide to the Data Controller during communication. The Data Controller does not process any Personal Data that can be considered a special category of Personal data under Article 9 of the GDPR. 

The provision of Personal Data at least in the scope of points a) to d) above is necessary for the purpose of concluding a contract between you and the Controller, or the information is created when placing an order. The consequence of not providing this Personal Data is not concluding a contract with the Data Controller.

3. Purposes and legal grounds for processing Personal Data

Your Personal Data may be processed for the following purposes:

1. Providing and selling the Data Controller's products;
2. Managing your user account;
3. Delivery of email newsletters that you have agreed to receive;
4. Supplying information related to the sale of the Data Controller's products and services.

The Data Controller processes your Personal Data lawfully, fairly and transparently, without adversely affecting your rights in any way. Thus, the Data Controller processes your Personal Data only when it has one of the legitimate legal grounds according to the Article 6 of the GDPR, where the processing of your Personal Data is necessary for:

1. The performance of a contractual relationship established between you and the Data Controller for the purpose of providing or selling the Data Controller's products or services;
2. For compliance with a legal obligation to which the Data Controller is subject to, i.e. primarily for the purpose of tax compliance, accounting or complaints, or for the purpose of cooperating with public authorities;
3. Purposes of legitimate interest pursued by the Data Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data subject which require protection of Personal Data (for example, the protection of the Controller's legal interests) take precedence.

The Controller is also entitled to process your Personal Data in cases where you have given your explicit consent to this processing (for example, subscription to the Data Controller's newsletters, or managing your user account).

4. How long is Personal Data processed?

Your Personal Data is processed by the Controller to the extent necessary only for the period of time necessary for the use described above, and the Controller will periodically review whether the Personal Data needs to be retained and, if not, the Controller will delete the Personal Data. The Controller shall process Personal Data for no longer than:

1. for as long as necessary to exercise the rights and obligations arising from the contractual relationship with the Controller and to assert claims arising from such contractual relationship, but for no longer than 10 years after the termination of the contractual relationship;
2. for the period necessary to fulfil the legal obligations specified by the legal regulations of the Czech Republic in the tax and accounting field;
3. for the duration of the legitimate interest of the Controller, but for no longer than 3 years;
4. for the duration of your consent to processing (i.e. until you withdraw your consent to the processing of Personal Data).

5. Who are the recipients of Personal data?

The recipients of Personal Data are third parties or entities to whom your Personal Data may be disclosed or transferred. These are entities with whom the Controller cooperates in the performance of its activities, such as business partners or subcontractors, or to whom it discloses Personal Data in order to comply with its legal obligations. Public authorities may be considered recipients of Personal Data if the Controller is obliged to make such a transfer on the basis of applicable law (these entities then process Personal Data as separate controllers). The recipients of Personal Data may also be entities involved in the operation of this Website (Shopify), companies involved in the processing of payments (Shopify Payments, Google Pay), or the Controller's legal or accounting advisors. 

Where the recipient of Personal Data is also a processor of Personal Data, the Controller shall select only those who provide sufficient guarantees to implement appropriate technical and organizational measures necessary for the purposes of ensuring the protection of Personal Data.

6. Is Personal Data transferred to Third Countries?

The Controller does not transfer your Personal Data to Third Countries or international organizations.

7. How is Personal Data processed?

Your Personal Data is processed by the Data Controller in electronic form and not in an automated manner. Your Personal Data is not subject to any decision based solely on automated decision-making, including profiling, which would have legal effects on you or would affect you significantly in a similar way.

8. What are your rights as a Data Subject?

To exercise your rights in relation to the processing of Personal Data, please contact the Data Controller using contact details set out at the beginning of this Privacy Policy. You have the following rights in relation to the processing of your Personal Data (Articles 15 to 21 GDPR):

1. The right of access to Personal Data, i.e. the right to obtain confirmation as to whether your Personal Data is processed by the Controller and, if so, to obtain access to such data, including any other information contained in this Privacy Policy.
   
2. The right to rectification, i.e. the right to have your Personal Data corrected or completed if it is inaccurate or incomplete.
   
3. The right to erasure of Personal Data, i.e. the right to have your Personal Data erased by the Controller without undue delay if:
   1. The Personal Data is no longer necessary for the purposes for which it was collected or otherwise processed;
   2. Your consent to the processing of Personal Data has been withdrawn where it has been given and there is no other relevant legal ground for processing;
   3. As a Data Subject, you object to the processing and there are no overriding legitimate grounds for the processing;
   4. The Personal Data was processed unlawfully;
   5. Personal Data must be erased to comply with a legal obligation under European Union law or the law of a Member State of the European Union.

4. The right to restrict the processing of Personal Data, i.e. your right to request that the Controller restrict the processing of Personal Data if:

1. 1. You will contest the accuracy of the Personal Data processed for the time necessary for the Controller to verify the accuracy of the Personal Data;
   2. Processing of Personal Data is unlawful and you request a restriction on the use of Personal Data instead of erasure of Personal Data;
   3. The personal data is no longer needed by the Controller for the purposes of processing, but you require it for the establishment, exercise or defense of legal claims;
   4. You object to processing until it is verified that the legitimate grounds of the Controller outweigh the legitimate grounds of you as the Data subject.

5. The right to data portability, i.e. your right to receive the Personal Data concerning you or which you have provided to the Controller in a structured, commonly used and machine-readable format and to transmit such Personal Data to another controller without any hindrance from the Controller, provided that the processing is based on your consent or on the basis of the performance of a contract or contractual obligations and the processing is carried out by automated means (where technically feasible, you have the right to have such Personal Data transmitted directly to the other controller).

6. Right to object to processing, i.e. your right to object at any time to the processing of Personal Data based on the legitimate interest of the Controller or a third party. In this case, the Controller may not further process your Personal Data unless it demonstrates compelling legitimate grounds for processing that override your rights or for the establishment, exercise and defence of legal claims of the Controller.

7. The right not to be subject to automated decision-making, including profiling, i.e. your right not to be subject to a decision which is based solely on automated decision-making, including profiling, and which has legal effects for you or similarly significantly affects you. This does not apply if such processing is necessary for the conclusion or performance of a contract between you and the Controller, is authorised by European Union or Czech law, or is based on your explicit consent.

If the Controller processes Personal Data on the basis of your consent, you have the right to withdraw this consent at any time by contacting the Data Controller at the contact e-mail address listed at the head of this Privacy Policy. The Data Controller may be contacted at this e-mail address in the event of any of the above requests to exercise the Data Subject's rights. In the case of subscription to the Controller's newsletters, it is possible to unsubscribe (i.e. to withdraw consent to the processing of Personal Data) using the button at the end of the newsletter. 

You also have the right to file a complaint with the supervisory authority, which is the Personal Data Protection Office of the Czech Republic, located at Pplk. Sochova 27, 170 00 Prague 7, Czech Republic, tel.: +420 234 665 111, web: www.uoou.cz.

9. Conclusion

By confirming and submitting your order via the Website, you confirm that you have read this Privacy Policy.

This Privacy Policy may be unilaterally amended by the Data Controller, but the wording that appears on the Website under the Privacy Policy tab shall always apply.

This Privacy Policy is effective from 1 August 2024