PRIVACY POLICY

This Privacy Policy outlines the procedures for the collection, processing, storage, and lawful transfer of personal data concerning consumers who visit www.tidytraydesk.com or conduct transactions via the site. These operations strictly comply with Regulation (EU) 2016/679 of the European Parliament and of the Council (the General Data Protection Regulation, or GDPR) and the relevant laws and regulations of the Czech Republic.

Address and Logistics Address: Mírové nám. 207/34, 400 01 Ústí nad Labem-centrum, Czech Republic

Email: stationery@tidytraydesk.com

Phone: +420 773664001

Consumers may contact our administrative department directly via the contact details above regarding any questions about data processing, to submit requests, or to exercise their statutory rights.

Categories of Data Collected and Legal Basis
Data processing is limited to what is necessary to fulfill sales transactions, comply with legal regulations, and conduct business interactions. In accordance with Article 6 of the GDPR, the legal bases we rely upon include:

Performance of a contract (GDPR Article 6(1)(b)): Processing identity information, delivery addresses, phone records, and email communications to process orders, execute transactions, and deliver the physical office stationery trays.

Compliance with legal and tax obligations (GDPR Article 6(1)(c)): Managing invoice information, corporate financial data, and transaction records to meet requirements under corporate tax laws and statutory accounting regulations.

Legitimate business interests (GDPR Article 6(1)(f)): Sending logistics tracking updates, managing administrative records, and handling customer-initiated inquiries. Involvement of third-party processors (including Stripe)
To execute cross-border commercial transactions and ensure physical delivery within Europe, we share data only with designated corporate processors subject to strict data management mechanisms. Data transfer is limited to the following necessary operational entities:

Transaction processing and settlement (Stripe): All payment execution operations are handled by our third-party merchant service provider, Stripe Payments Europe, Ltd. (based in Ireland), and its affiliates (collectively referred to as “Stripe”). Personal data—including credit/debit card details, billing records, and payment verification information—is transmitted directly to Stripe via standard encrypted channels to complete transactions. We do not store or hold full payment card numbers or sensitive credential information internally.

Logistics and Delivery Operations: Physical shipment details (recipient name, shipping address, contact phone number) are shared with international priority courier networks (specifically DHL, FedEx, and UPS) to facilitate accurate cross-border transport, sorting, and final local delivery.

Mandatory Data Retention Periods
In accordance with the European legal principle of “storage limitation,” personal records are retained only for the duration necessary to meet legal compliance, accounting requirements, and contractual obligations within the Czech Republic:

Tax and Invoicing Records: Mandatory retention for 10 years, pursuant to Section 35 of the Czech VAT Act (Act No. 235/2004).

Contractual and Transactional Records: Retained for a maximum of 3 years following the completion of all deliveries; this aligns with the standard statutory limitation periods for contractual liability under the Czech Civil Code (Act No. 89/2012).

General Business Correspondence: Retained for the duration necessary to resolve the relevant inquiry, up to a maximum of 12 months from the date of last contact (unless the correspondence relates to a completed purchase transaction).

Statutory Rights of European Data Subjects
Under the GDPR framework, individuals residing in the EU possess specific statutory rights regarding their personal data, which may be exercised by contacting stationery@tidytraydesk.com:

Right of Access (GDPR Article 15): The right to obtain formal confirmation as to whether their data is being processed and to receive a detailed copy of such data. Right to Rectification (GDPR Article 16): The right to request the correction of inaccurate or incomplete personal records.

Right to Erasure (GDPR Article 17): The right to request the deletion of data when records are no longer required for their original purpose (subject to the company’s existing statutory data retention obligations).

Right to Restriction of Processing (GDPR Article 18): The right to restrict the scope of data processing under specific verification conditions.Right to data portability (Article 20 of the GDPR): The right to receive personal data in a structured, machine-readable format for the purpose of transferring it to another entity.

Right to object (Article 21 of the GDPR): The right to object to data processing based on “legitimate interests.”

Data subjects retain the statutory right to lodge a formal complaint with the competent supervisory authority. The primary supervisory authority in the Czech Republic is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů – ÚOOÚ), located at: Pplk. Sochora 27, 170 00 Prague 7.

Data Protection Procedures
The Company employs standard administrative, electronic, and physical measures designed to prevent unauthorized disclosure, loss, or alteration of collected information. Despite the inherent complexities associated with internet-based data transmission, we utilize standard Transport Layer Security (TLS) technology and secure corporate operational practices, strictly managing data access rights to ensure that only authorized personnel have access to the data.