Titanium
Your basket0
⬇ PDF

Privacy Policy (GDPR, EN)

Version: 2026-04-01

1. Data Controller

  • HOOKAH GARAGE s.r.o.
  • Registered office: Dobrovského 874/29, 702 00 Ostrava, Czech Republic
  • Company No. (IČO): 08997608
  • VAT No. (DIČ): CZ08997608
  • Contact e-mail: office@titaniumcarcare.eu

2. Categories of Personal Data Processed

  • Identification data: first name, surname, company name, company registration number, VAT number.
  • Contact data: e-mail, phone number, delivery/billing address.
  • Order data: order contents, purchase history, payment and delivery information.
  • Communication data: enquiries, complaints, customer support.
  • Technical data: IP address, device data, access logs, consent and document-acceptance records.
  • Login verification data: a one-time code (stored as a cryptographic hash) and an associated challenge token, generated when the customer opts in to email login verification (MFA).

3. Purposes and Legal Bases

  • Conclusion and performance of the purchase contract: Art. 6(1)(b) GDPR.
  • Compliance with legal obligations (accounting, taxes): Art. 6(1)(c) GDPR.
  • Legitimate interests (security, fraud prevention, enforcement of claims): Art. 6(1)(f) GDPR.
  • Direct marketing (newsletter): Art. 6(1)(a) GDPR (consent).
  • Email login verification (one-time code): Art. 6(1)(b) GDPR (performance of contract / account security as part of the service). The customer opts in voluntarily and may opt out at any time in their account settings.

4. Categories of Data Subjects

  • B2C customers (consumers).
  • B2B customers and their authorised contact persons.
  • Prospective customers (leads, newsletter subscribers).

5. Recipients and Processors

  • Carriers and logistics partners: Geis CZ s.r.o., Zásilkovna s.r.o. (Packeta) and any other contracted carriers – the recipient's name, delivery address and phone number are passed to the selected carrier solely for the purpose of delivering the parcel. Legal basis: Art. 6(1)(b) GDPR (performance of contract).
  • Payment service providers: ComGate Payments, a.s. (payment gateway for card payments, bank transfers and BLIK) – personal and payment data are processed in accordance with ComGate's terms and privacy policy.
  • IT infrastructure, hosting, e-mail and support tool providers (to the extent necessary for operating the e-shop and ERP system).
  • Accounting, tax or legal advisors (to the necessary extent).
  • Public authorities, where required by law.

6. Transfers Outside the EEA

  • Where personal data are transferred outside the EEA, the controller ensures appropriate safeguards under the GDPR (e.g. Standard Contractual Clauses).

7. Retention Periods

  • Contract-related data (orders, delivery and billing data): for the duration of the contractual relationship and a further 3 years after its termination for the purpose of protecting legal claims (limitation period).
  • Accounting and tax documents (invoices, tax documents): 5 years from the end of the tax period in which the obligation to issue them arose.
  • Marketing consents (newsletter): until consent is withdrawn; consent records are retained for 3 years after withdrawal as proof of lawful processing.
  • Audit data on terms acceptance (especially B2B): 5 years after the end of the contractual relationship.
  • Technical logs and security records: maximum 12 months from their creation, unless otherwise required by law.
  • Login verification codes (email MFA): the code hash and challenge token are automatically and permanently deleted within 10 minutes of generation, regardless of whether the code was used.

8. Rights of Data Subjects

  • Right of access to personal data.
  • Right to rectification of inaccurate data.
  • Right to erasure, where GDPR conditions are met.
  • Right to restriction of processing.
  • Right to data portability.
  • Right to object to processing.
  • Right to lodge a complaint with the Czech Data Protection Authority (ÚOOÚ), www.uoou.cz.

8a. Withdrawal of Marketing Consent

  • You may withdraw consent to receive marketing communications (newsletter) at any time, in particular via the unsubscribe link in the e-mail or by contacting the controller.
  • Withdrawal is free of charge and effective for the future; it does not affect the lawfulness of processing prior to withdrawal.
  • Withdrawal of marketing consent does not affect the sending of transactional messages necessary for the performance of the contract (e.g. order confirmation, invoicing and status e-mails).

9. Cookies and Online Identifiers

  • The website may use technical and functional cookies.
  • Details are set out in the separate Cookie Policy document.

10. Data Security

  • The controller implements appropriate technical and organisational measures (access control, logging, backup, encryption where appropriate).
  • Access to data is restricted to persons who need it to perform their work duties.

11. Automated Decision-Making

  • The controller does not, as a standard practice, carry out decision-making based solely on automated processing that would have legal effects on data subjects, unless explicitly stated otherwise.

12. Contact and Policy Updates

  • Questions and requests regarding data protection should be sent to: office@titaniumcarcare.eu.
  • These policies may be updated reasonably; the current version is published in the e-shop.