GDPR

Privacy Policy & GDPR — Pintado & Lacado

Last updated: May 2026

1. Data Controller The data controller responsible for your personal data is Kim.Love s.r.o., VAT CZ08751404, Švýcarská 2436, Kročehlavy, 272 01 Kladno, Czech Republic.

For any questions or requests relating to your personal data, please contact us at info@pintado-lacado.com.

2. What Data We Collect and Why We collect personal data only where necessary to fulfil our contractual obligations or where we have a legitimate legal basis to do so. The data we collect includes:

  • Contact and delivery details — your name, delivery address, email address and telephone number, used to process and deliver your order and communicate with you about it
  • Payment information — payment data is processed securely through our payment providers (Shopify Payments/Stripe, PayPal, Klarna). We do not store your full card or bank details on our systems
  • Order history — records of purchases made through our Webshop, retained for legal and contractual purposes
  • Communication data — any correspondence you send us, including emails or contact form submissions
  • Website usage data — anonymised analytics data collected via cookies, subject to your cookie preferences

We do not collect or process sensitive personal data such as information relating to ethnicity, religion, political views, health or biometric data.

3. Legal Basis for Processing We process your personal data on the following legal bases under GDPR Article 6:

  • Contract performance (Art. 6(1)(b)) — to fulfil your order, process payment and arrange delivery
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting and other legal requirements
  • Legitimate interests (Art. 6(1)(f)) — for fraud prevention, security and improving our services
  • Consent (Art. 6(1)(a)) — for marketing communications and non-essential cookies, where you have opted in. You may withdraw consent at any time

4. Marketing Communications If you have subscribed to our newsletter or opted in to marketing, we will use your email address to send you updates about new products, offers and crochet inspiration. You may unsubscribe at any time by clicking the unsubscribe link in any email or by contacting us directly at info@pintado-lacado.com.

We will never sell or share your personal data with third parties for their own marketing purposes.

5. Sharing Your Data We may share your personal data with trusted third parties only where necessary to fulfil your order or comply with legal obligations. These include:

  • Delivery carriers — to arrange shipping and delivery of your order
  • Payment processors — Shopify Payments (Stripe), PayPal and Klarna, each operating under their own privacy policies and GDPR compliance frameworks
  • IT and platform providers — Shopify Inc., which hosts our Webshop. Shopify is certified under EU-US Data Privacy Framework and processes data in accordance with GDPR
  • Legal and regulatory authorities — where required by law

We do not sell, rent or trade your personal data to any third party.

6. International Data Transfers Some of our service providers, including Shopify, may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data to the same standard as within the EEA.

7. Data Retention We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying legal, accounting and reporting requirements. In general:

  • Order and transaction data is retained for 10 years in accordance with Czech and EU accounting law
  • Marketing data is retained until you unsubscribe or withdraw consent
  • Customer service correspondence is retained for 3 years

When data is no longer required, it is securely deleted or anonymised.

8. Cookies We use cookies and similar technologies on our Webshop. A detailed breakdown of the cookies we use and their purposes is available in our Cookie Policy. Non-essential cookies are only placed with your consent, which you may withdraw at any time via your cookie settings.

9. Your Rights Under GDPR As a data subject, you have the following rights under the General Data Protection Regulation:

  • Right of access — you may request a copy of the personal data we hold about you
  • Right to rectification — you may request correction of any inaccurate or incomplete data
  • Right to erasure ("right to be forgotten") — you may request deletion of your personal data where there is no legitimate reason for us to continue processing it
  • Right to restriction of processing — you may request that we limit how we use your data in certain circumstances
  • Right to data portability — you may request your data in a structured, commonly used and machine-readable format
  • Right to object — you may object to processing based on legitimate interests or for direct marketing purposes
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at info@pintado-lacado.com. We will respond within 30 days. We may need to verify your identity before processing your request.

10. Data Security We take the security of your personal data seriously. We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, destruction or alteration. These include encrypted connections (SSL/TLS), access controls and regular security reviews. We also require all third-party service providers to maintain adequate security standards.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected individuals without undue delay, in accordance with GDPR Article 33 and 34.

11. Supervisory Authority and Complaints If you believe we have not complied with our obligations under GDPR, you have the right to lodge a complaint with a supervisory authority. The relevant authority in the Czech Republic is:

Office for Personal Data Protection (ÚOOÚ) Pplk. Sochora 27, 170 00 Prague 7 www.uoou.cz

You also have the right to lodge a complaint with the supervisory authority in your country of residence within the EU.

12. Changes to This Policy We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements or regulatory guidance. Where changes are material, we will notify you by email or via a notice on our Webshop at least 30 days before the changes take effect. The date of the most recent update is shown at the top of this page.