top of page

Processing of personal data

This Privacy Policy (the "Policy") informs you how Coverstory, s.r.o., IN: 08336474, with the address Jankovcova 1603/47a, Holešovice (Praha 7), 170 00 Praha (hereinafter referred to as the "Company"), obtains, stores and further processes your personal data in connection with the provision of Cover Story services offered through the website (hereinafter referred to as the "Website").

1. General Provisions

The purpose of this Policy issued by the Company in accordance with the Regulation(EU) No 2016/679 of the European Parliament and of the Council of 27. April 2016, as amended (hereinafter referred to as "GDPR"), is to provide information on what personal data the Company, as a personal data controller, processes about natural persons in the provision of its services and for what purposes and for how long the Company processes such personal data in accordance with applicable law, to whom and for what reason it may transfer them, as well as to inform about what rights natural persons have in connection with the processing of their personal data and how they can exercise them.


This Policy applies to the processing of data of visitors/users of the Website, i.e. the Company's customers. All services provided by the Company are intended for clients who request the Company's services through the Website (hereinafter referred to as "Client").

This Policy is effective from 1 January 2022 and is issued in accordance with the GDPR in order to comply with the Company's information obligation as a controller under Article 13 of the GDPR and Article 14 of the GDPR.

2. Personal data controller

The Company is the data controller of the Clients' personal data and the current contact details are available on the website 

3. Data protection officer

Pursuant to Article 37(1) of the GDPR, the Company is not required to appoint a Data Protection Officer, who has not been so appointed by the Company.


4. Categories of personal data processed by the company

According to Article 4(1) of the GDPR, personal data is any information relating to an identified or identifiable natural person. In this case, an identified person is the Client and an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The following categories of personal data may be processed in connection with the provision of services by the Company.

4.1.  Basic personal identification data

This is the kind of information that you are required to fill in on the Company's Website if you are interested in any of the services provided by the Company:

– name and surname;

– company name.


4.2. Contact details

This is following personal data

– e-mail;

– telephone number.


4.3. Payment details

Billing data (address of the company's registered office, company ID number, VAT number);

– bank account number;

– details of payments made;

– tax documents.

5. Purpose, duration and legal basis for the processing of personal data

Personal data may be processed for the following legal bases:

– performance of contractual obligations;

– compliance with legal obligations;

– on the basis of legitimate interest.


5.1. Processing of personal data in the performance of a contractual obligation

The Company cannot operate the e-shop located on the Website without knowledge of the Clients' personal data, for which reason it must collect and process the Clients' personal data.In particular, the Company processes the Clients' personal data in order to enable the processing and fulfillment of the Clients' orders placed on theCompany's e-shop. For these purposes, personal data is processed within the scope of basic personal identification data as defined in Article 4.1 of thisPolicy, contact data as defined in Article 4.2 of this Policy and payment data as defined in Article 4.3 of this Policy.

The Company collects such processed personal data from Clients in the event that Clients order goods offered in the e-shop located on the Website. This personal data is processed by the Company only for a period of five years after the order is placed by the Client, or for as long as the Company is required to do so bylaw.


5.2. Processing of personal data in the performance of a legal obligation

While providing the services, the Company is obliged to comply with the obligations arising from the following legal regulations, namely Act No. 563/1991 Coll., on Accounting, as amended (hereinafter referred to as the "AA"), Act No.586/1992 Coll., on Income Taxes, as amended (hereinafter referred to as the"ITA") and Act No. 235/2004 Coll., on Value Added Tax, as amended(hereinafter referred to as the "VAT Act").


Certain personal data may be included on accounting documents (i.e. invoices or other documents). The aforementioned laws (i.e. AA, ITA and VAT Act) oblige the Company to keep such documents for up to 10 years. Therefore, if the Company is legally obliged to keep these documents, the Clients' personal data listed on the relevant tax document is stored together with them.


5.3. Processing of personal data on the basis of legitimate interest

In the event that theClient is in default of payment for the services provided, fails to fulfill its obligation to the Company or the Company does not receive payment from theClient at all, or the Company suffers other damage or harm from the Client, theCompany is entitled to process the Clients' personal data on the basis of legitimate interest consisting in the recovery of the Company's claims and/or the establishment, protection and enforcement of the Company's legal claims.

For this purpose, theCompany is entitled to keep the Clients' personal data for the statute of limitations period pursuant to Act No. 89/2012 Coll., Civil Code, as amended.For this purpose, the Company processes, in particular, data on services provided, payments or any record of communication between the Company and theClient.


The Company is also entitled to process the Client's e-mail address, in accordance with Section7(3) of Act No. 480/2004 Coll., on certain information society services, as amended, for the purpose of sending any commercial communications concerning the services and products offered by the Company. The Client is entitled to refuse, or not to consent to the sending of commercial communications.


6. Transfer of personal data to third parties

The Company uses the professional services of third parties in the performance of its obligations and duties under contracts concluded with Clients. If these suppliers process personal data transmitted by the Company, they shall have the status of data processors and shall process personal data only in accordance with the instructions given to them by theCompany and shall not use it otherwise. Specifically, these are external suppliers of IT systems and services who may have access toClients' personal data in certain cases. The Company has entered into personal data processing agreements with the data processors referred to in the preceding paragraph which guarantee at least the same level of protection for Clients' personal data as this Policy.

The Company, in the performance of its legal obligations, transfers the Clients' personal data to administrative authorities and other public authorities, if the Company is obliged to do so by the relevant legislation.


7.  Security of personal data

The Company has established and maintains the necessary technical and organizational measures, internal control processes and information security measures in accordance with the best interests of the Client and with respect to their rights, which are appropriate to the potential risk to data subjects.It also takes into account the state of technological development in order to protect personal data from accidental loss, destruction, alteration ,unauthorized disclosure or access. These measures may include, but are not limited to, taking reasonable steps to ensure accountability of persons working with the Company or employees who have access to sensitive data and documents, employee training, regular backups, data recovery and incident management procedures, software protection of devices on which personal data is stored, among others.

Persons cooperating with the Company and its employees are bound by the obligation of confidentiality of all facts concerning the Clients, even after termination of employment or cooperation with the Company. The signed confidentiality statement is part of the employment contract of the Company's employee and contracts concluded with the cooperating persons.

8.  Client´s rights to personal data

Where the Client exercises any of its rights set out in Articles 8.1 to 8.8 of thisPolicy below or under relevant applicable and effective law, the Company shall inform the Client of the action taken or the removal of the Client's Personal Data or the restriction of processing in accordance with the Client's request to each recipient of Personal Data to whom such Personal Data has been provided pursuant to Article 6 of this Policy, provided that such communication is feasible and/or does not require disproportionate effort.


In order to exercise their rights and/or obtain relevant information, Clients may contact the Company by email at or in writing to the Company's registered office address set out in Article 3 of this Policy. If the Client exercises its rights, the Company shall be entitled to require theClient to provide the Company with certain identifying information provided byt he Client to the Company. The provision of such information is necessary to verify that the relevant request was actually sent by the Client. The Company undertakes to send a reply or a statement no later than 1 (in words: one) month after receipt of the Client's request. In justified cases, the Company reserves the right to extend this period by 2 (in words: two) months.


8.1. Rights of access to personal data

According to Article 15 of the GDPR, the Client has the right to access his/her personal data, which includes the right to obtain from the Company:

– Confirmation as to whether it processes his personal data,

– information about the purposes of the processing, the categories of personal data concerned,

– information about the recipients to whom the personal data has been or will be disclosed, the planned time of processing,

– information on the existence of the right to request from the Company the rectification or erasure of personal data relating to the Client's personal data or the restriction of its processing or to object to such processing, the right to lodge a complaint with a supervisory authority,

– information on any available information;

– information about the source of the personal data, if not obtained from the data subject, the fact that automated decision-making, including profiling, is taking place,

– information on appropriate safeguards in case of transfer of data outside the EU,

The company will always provide the first copy of the personal data free of charge.

In the event of repeated requests, the Company shall be entitled to charge a reasonable fee fora copy of the personal data.


8.2. Right to rectification of inaccurate data

According to Article 16 of the GDPR, the Client has the right to rectification of inaccurate personal data processed by the Company about the Client. The Client is also obliged to notify changes to his/her personal data and provide evidence that such changes have occurred. He is also obliged to provide assistance to the Company if it is found that the personal data processed about him by the Company is inaccurate. The Company shall carry out the rectification without undue delay, but always taking into account the technical possibilities.


8.3. Right to erasure of personal data

According to Article 17 of the GDPR, the Client has the right to erasure of personal data concerning him/her, unless the Company demonstrates legitimate grounds for processing such personal data. The Company has set up mechanisms to ensure the automatic anonymisation or erasure of personal data in the event that they are no longer needed for the purpose for which they were processed.

8.4. Right to restriction of processing

According to Article18 of the GDPR, the Client will have the right to restrict processing until the complaint is resolved if he or she disputes the accuracy of the personal data, the grounds for processing or if he or she objects to the processing.


8.5. Right to portability of personal data

According to Article20 of the GDPR, the Client has the right to the portability of the data concerning him/her, which he/she has provided to the Company as the controller, in a structured, commonly used and machine-readable format. He also has the right to ask us to transfer this data to another controller. In the event that the exercise of this right could adversely affect the rights and freedoms of third parties, the Client's request cannot be granted.


8.6. Right to object to the processing of personal data

According to Article 21 GDPR, the Client has the right to object to the processing of his/her personal data by the Company.

If the Company fails to demonstrate that there is a compelling legitimate reason for the processing which overrides the interests or rights and freedoms of the Client as a data subject, the Company shall terminate the processing without undue delay on the basis of the objection.


8.7. Right to withdraw consent to the processing of personal data

If the Client grants the Company consent to the processing of personal data, it may be withdrawn at any time. Withdrawal of consent must be made by an express, intelligible and specific expression of will, either in writing to the Company's registered office or by e-mail to

9. Policy update

The Company hereby notifies the Clients that it is entitled to modify or update this Policy. Any changes to this Policy will become effective upon posting on the Website.


bottom of page