Effective: from the launch of the e-shop Version: 1.0
The protection of your personal data is a priority for us. We regularly review all processing operations and ensure their compliance with:
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”);
- Act No. 18/2018 Coll. on the Protection of Personal Data, as amended (hereinafter referred to as the “Act”);
- Act No. 452/2021 Coll. on Electronic Communications (with respect to the use of cookies and similar technologies).
These Privacy Terms (hereinafter referred to as the “Terms”) describe how we collect, use, store and protect your personal data when you visit our e-shop, purchase goods, register a customer account, subscribe to our newsletter, or otherwise communicate with us.
1. Who processes your personal data?
The controller of personal data within the meaning of Article 4(7) GDPR is:
IB products s.r.o. Registered office: Tomanova 19, 831 07 Bratislava – Vajnory district, Slovakia Company ID: 55 336 809 Tax ID: 2121954483 VAT ID: SK2121954483 (registered under Section 4 as of 16 June 2023) Registered in the Commercial Register of the Bratislava III Municipal Court, Section: Sro Operator of the e-shop: molequa.com (hereinafter referred to as the “E-shop”)
Contact details for the exercise of data subject rights:
- E-mail: info@molequa.com
- Correspondence address: IB products s.r.o., Tomanova 19, 831 07 Bratislava, Slovakia
(hereinafter collectively referred to as “we” or the “controller”)
We have not appointed a Data Protection Officer (DPO) under Article 37 GDPR, as we are not legally required to do so. For all matters concerning the protection of personal data you may contact us at the contacts indicated above.
2. What categories of personal data do we process?
Depending on the specific purpose, we process the following categories of personal data:
| Category | Examples of data |
|---|---|
| Identification data | first name, surname, title, Company ID, Tax ID (for self-employed persons) |
| Contact data | delivery and billing address, e-mail, telephone number |
| Order data | order content, order number, date of purchase, value of purchase, method of payment and delivery |
| Payment data | bank account number (for payment by bank transfer or refund); card payment data is processed exclusively by the payment gateway |
| Customer account data | login name, encrypted password, order history, stored addresses, favourite products |
| Communication data | the content of your messages and queries, audio recordings of calls (where recorded, you will always be informed in advance) |
| Browsing behaviour data | IP address, browser type, operating system, pages visited, time spent on the site, source of visit (via cookies and similar technologies) |
| Marketing data | newsletter engagement data (opens, clicks), product preferences |
Sensitive personal data (special categories under Article 9 GDPR) are not intentionally collected. Our goods (peptides intended for research purposes) do not require you to provide health information, and we will never ask you to do so. Should you nevertheless provide such data voluntarily (e.g. in a message or comment), we shall not actively process it and shall delete it within a reasonable period.
3. For which purposes, on which legal basis and for how long do we process your personal data?
We process personal data exclusively for the purposes set out below. For each purpose we indicate the legal basis under Article 6 GDPR and the retention period. Where the retention period is set in years, it starts to run on 1 January of the calendar year following the year in which we commenced processing your personal data for the given purpose.
3.1 Order and purchase of goods via the E-shop
Purpose: To accept and fulfil your order, issue an invoice, deliver the goods through a carrier, handle complaints or withdrawal from the contract, and communicate with you regarding the status of your order.
Legal basis: Article 6(1)(b) GDPR – processing is necessary for the performance of a contract to which you are a party or in order to take steps prior to entering into a contract at your request.
Retention period: For the duration of the contract and 4 years after its termination (the general limitation period under Section 101 of the Civil Code), or longer if a longer limitation period has been agreed or if judicial, enforcement or other proceedings are ongoing.
3.2 Customer account
Purpose: Creation and administration of a customer account through which you may make future purchases without re-entering your data, track your order history, save favourite products and delivery addresses, and benefit from loyalty schemes.
Legal basis: Article 6(1)(b) GDPR – performance of a contract (framework agreement for the maintenance of the customer account).
Retention period: For the duration of the customer account. You may close your account at any time by sending a request to our e-mail; following closure, your data will be deleted within 30 days, save for data we are required to retain on other legal bases (e.g. accounting documents).
3.3 Handling of complaints and withdrawal from contract
Purpose: Proper handling of complaints regarding the goods or of withdrawals from the contract within the statutory 14-day period, recording of complaints, and refund of monies.
Legal basis:
- Article 6(1)(b) GDPR – performance of a contract;
- Article 6(1)(c) GDPR – compliance with a legal obligation under Act No. 250/2007 Coll. on Consumer Protection and Act No. 108/2024 Coll. on Consumer Protection in respect of the sale of goods or the provision of services under distance contracts.
Retention period: 4 years from the conclusion of the complaint procedure or the settlement of the withdrawal from contract.
3.4 Accounting and tax obligations
Purpose: Maintenance of accounting records, issuance and recording of invoices, tax documents, account statements and other accounting records.
Legal basis: Article 6(1)(c) GDPR – compliance with a legal obligation under Act No. 431/2002 Coll. on Accounting, Act No. 222/2004 Coll. on VAT, Act No. 595/2003 Coll. on Income Tax and other regulations.
Retention period: 10 years from the date the accounting document was issued (Section 35 of the Accounting Act).
3.5 Direct marketing to existing customers (newsletter)
Purpose: Distribution of commercial communications regarding new products, promotions and content (e.g. blog articles) similar to the goods you have purchased from us.
Legal basis: Article 6(1)(f) GDPR – the legitimate interest of the controller in promoting the sale of its own products to existing customers within the meaning of Recital 47 GDPR and Section 116(15) of Act No. 452/2021 Coll. on Electronic Communications.
Retention period: For the duration of the contractual relationship and 2 years thereafter, or until revocation (unsubscription from the newsletter). You may unsubscribe at any time free of charge by clicking the link in the footer of each e-mail or by sending a request to our e-mail.
3.6 Newsletter and marketing communications based on consent
Purpose: Sending of news, information about promotions, discounts, competitions and marketing offers to persons who are not yet our customers, or offers of products that are not similar to those previously purchased.
Legal basis: Article 6(1)(a) GDPR – your explicit consent.
Retention period: Until withdrawal of consent, no longer than 2 years from the date it was granted (upon expiry of this period we may request its renewal).
3.7 Competitions and marketing events
Purpose: Organisation of competitions, registration of participants, evaluation of results, contacting winners and delivering prizes, and publication of the winner’s name (where consented to).
Legal basis: Article 6(1)(a) GDPR – your consent expressed by entering the competition under the conditions announced in the competition rules.
Retention period: Until the competition is concluded and the prize delivered, no longer than 1 year after the conclusion of the competition (in case of disputes); in the case of winners whose prize was subject to tax, 10 years in the accounting records.
3.8 Affiliate programme
Purpose: If you arrived at our E-shop through a click-through from the website of one of our affiliate partners and made a purchase, we record this connection in order to pay the agreed commission to the partner. We do not provide your personal data to the partner – only aggregated information confirming that a purchase was made via their referral link.
Legal basis: Article 6(1)(f) GDPR – the legitimate interest of the controller in developing its business through a partner network.
Retention period: 4 years from the date of purchase, or longer where required by law.
3.9 Suppliers, business partners and their contact persons
Purpose: Conclusion and performance of contracts with suppliers and business partners, and communication with them and their contact persons.
Legal basis:
- Article 6(1)(b) GDPR – performance of a contract (in the case of self-employed natural persons);
- Article 6(1)(f) GDPR – the legitimate interest of the controller in performing contracts (in the case of contact persons of legal entities).
Retention period: For the duration of the contractual relationship and 4 years thereafter.
3.10 Assertion and defence of legal claims
Purpose: Assertion of receivables, recovery of claims, defence against claims raised by third parties, and the conduct of judicial, administrative or other proceedings.
Legal basis: Article 6(1)(f) GDPR – the legitimate interest of the controller in protecting its rights and legal claims.
Retention period: For the duration of the applicable limitation periods, no longer than 10 years from the date the claim arose, or until the final conclusion of the proceedings.
3.11 Cookies and similar technologies
Detailed information on cookies, their categories, purposes and configuration options is set out in a separate document, the “Cookie Policy”, available on our E-shop.
In brief:
- Essential cookies – processed on the basis of legitimate interest (Article 6(1)(f) GDPR) and Section 116(3) of Act No. 452/2021 Coll. (they enable basic functionality of the E-shop, e.g. adding goods to the basket). Retention period: typically up to 7 days or until the end of the session.
- Functional, analytical and marketing cookies – processed solely on the basis of your consent (Article 6(1)(a) GDPR) granted via the cookie banner. You may withdraw or modify your consent at any time in the cookie settings. Retention period: typically up to 13 months, unless otherwise stated for an individual cookie.
3.12 Social networks
Purpose: Operation of corporate profiles on social networks (in particular Facebook, Instagram, and where applicable YouTube and TikTok), communication with followers, and display of advertisements.
Legal basis: Article 6(1)(f) GDPR – the legitimate interest in our self-presentation and promotion.
Note regarding social network profiles: With respect to the administration of Facebook fan pages, we act as joint controllers with Meta Platforms Ireland Ltd. within the meaning of Article 26 GDPR for page statistics (Page Insights). The essence of this arrangement is available at: https://www.facebook.com/legal/terms/page_controller_addendum
Retention period: For the duration of the relevant profile, no longer than 5 years from the commencement of processing.
3.13 IT security and logging
Purpose: Ensuring information security, prevention and investigation of security incidents, and protection against unauthorised access and fraud.
Legal basis: Article 6(1)(f) GDPR – the legitimate interest in protecting information systems and data.
Retention period: No longer than 12 months from the recording of the event.
3.14 Fulfilment of GDPR obligations
Purpose: Handling of data subject rights requests, maintenance of records of processing activities, recording of security incidents, and fulfilment of other obligations under the GDPR and the Act.
Legal basis: Article 6(1)(c) GDPR – compliance with a legal obligation.
Retention period: 5 years from the settlement of the request or the conclusion of the incident.
4. To whom do we disclose your personal data?
We do not sell your personal data to any third party. We disclose it only to the extent necessary for achieving the relevant processing purpose, to the following categories of recipients:
4.1 Processors (processing data on our behalf)
- Web-hosting and cloud service provider – storage of E-shop data
- E-shop platform provider (CMS / e-commerce platform)
- Accounting services provider – external accounting firm
- Carriers – delivery of goods (e.g. Packeta, GLS, DPD, Slovenská pošta and similar)
- Payment gateways – processing of card or bank transfer payments (e.g. Stripe, GP webpay, ComGate, Besteron, Tatra banka CardPay and similar)
- E-mail marketing service providers – distribution of the newsletter (e.g. Mailchimp, Ecomail, SmartEmailing and similar)
- Analytics tool providers – Google Analytics, Meta Pixel (subject to your consent)
- Customer support tool providers – live chat, helpdesk
- Review system providers – verified reviews (e.g. Heureka.sk, Google Reviews) – only where you have consented at the point of order
All processors are bound by a contract pursuant to Article 28 GDPR and implement adequate technical and organisational measures to protect your data.
4.2 Independent controllers
- Law firms, bailiffs, courts, notaries – in the event of litigation or claim enforcement
- Auditors, tax advisors
- Public authorities (e.g. the tax authority, the Slovak Trade Inspection, the Office for Personal Data Protection, the Police of the Slovak Republic) – where required by law
4.3 Recipients in the context of marketing
- Affiliate partners – only aggregated information on completed purchases via their referral link, not personal data
- Advertising platforms (Google, Meta) – only where you have consented to marketing cookies
5. Transfer of personal data to third countries
Your personal data is primarily processed within the European Economic Area (EEA).
Some of our processors (in particular providers of analytics tools and e-mail services with seat in the USA – e.g. Google LLC, Meta Platforms Inc.) may process data in third countries outside the EEA. In such cases we ensure an adequate level of protection by means of:
- a European Commission adequacy decision (Data Privacy Framework for the USA – decision of 10 July 2023);
- standard contractual clauses approved by the European Commission (Article 46(2) GDPR); or
- other appropriate safeguards under Chapter V GDPR.
A copy of these safeguards may be requested by contacting our e-mail.
6. Automated decision-making and profiling
Your personal data is not subject to automated decision-making producing legal effects concerning you within the meaning of Article 22 GDPR.
In the context of marketing activities, profiling may take place to a limited extent (e.g. newsletter segmentation based on interests or previous purchases), which however produces no legal or comparable effects for you.
7. Your rights as a data subject
In connection with the processing of your personal data, the GDPR grants you the following rights:
7.1 Right of access (Article 15 GDPR)
You have the right to obtain confirmation as to whether we process your personal data and, if so, to obtain access to such data and to information about the processing (purposes, categories of data, recipients, retention period, etc.). The first copy of the data is provided free of charge; for further copies we may charge a reasonable administrative fee of EUR 5 per additional copy.
7.2 Right to rectification (Article 16 GDPR)
You have the right to have inaccurate data rectified and incomplete data completed without undue delay.
7.3 Right to erasure (“right to be forgotten”) (Article 17 GDPR)
You have the right to have your data erased where one of the grounds set out in Article 17 GDPR applies – for example, where the data is no longer necessary for the processing purpose, you have withdrawn consent, you object to the processing, or the data has been processed unlawfully. This right is not absolute – it may be restricted, for example, with respect to data necessary for compliance with legal obligations (accounting) or for the assertion of legal claims.
7.4 Right to restriction of processing (Article 18 GDPR)
You have the right to request restriction of processing (data is then only stored but not further processed) in the cases set out in Article 18 GDPR.
7.5 Right to object (Article 21 GDPR)
You have the right to object to the processing of your personal data based on the legitimate interest of the controller (Article 6(1)(f) GDPR). Following an objection, we shall cease processing the data unless we demonstrate compelling legitimate grounds overriding your interests, rights and freedoms.
You may object to processing for the purposes of direct marketing at any time and without giving any reason – in such case we shall immediately cease processing your data for that purpose.
7.6 Right to data portability (Article 20 GDPR)
Where processing is based on your consent or on the performance of a contract and is carried out by automated means, you have the right to receive the data you have provided to us in a structured, commonly used and machine-readable format and to transmit it to another controller (where technically feasible).
7.7 Right to withdraw consent (Article 7(3) GDPR)
Where processing is based on your consent, you have the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal. You may withdraw consent by:
- clicking the “Unsubscribe” link in the footer of each marketing e-mail;
- changing the settings of your customer account;
- changing the cookie settings on our E-shop;
- sending a request to our contact e-mail.
7.8 Right to lodge a complaint (Article 77 GDPR)
If you consider that the processing of your personal data infringes the GDPR or the Act, you have the right to lodge a complaint with the supervisory authority:
Office for Personal Data Protection of the Slovak Republic Hraničná 12, 820 07 Bratislava 27, Slovakia Tel.: +421 /2/ 3231 3214 E-mail: statny.dozor@pdp.gov.sk Web: www.dataprotection.gov.sk
7.9 How may you exercise your rights?
You may exercise your rights:
- by e-mail at info@molequa.com;
- in writing to the registered office of the company;
- in person at the registered office (by prior arrangement).
We shall assess and settle your request without undue delay, and in any event within 1 month of its receipt. This period may be extended by a further 2 months where necessary, taking into account the complexity of the request or the number of requests, of which we shall inform you.
In order to protect your data, we may verify your identity where we have reasonable doubts as to whether the request was submitted by an authorised person.
The handling of a request is free of charge. Only where your request is manifestly unfounded or excessive (in particular due to its repetitive character) may we charge a reasonable fee or refuse the request.
8. Is the provision of personal data mandatory?
| Purpose | Obligation to provide data | Consequence of non-provision |
|---|---|---|
| Purchase of goods and conclusion of a purchase agreement | Contractual requirement | We will be unable to enter into a contract and deliver the goods |
| Issuance of an invoice | Statutory requirement (Accounting Act, VAT Act) | We cannot execute the sale |
| Newsletter (based on consent) | Voluntary | We will not send you marketing communications |
| Participation in a competition | Voluntary | You will not be able to participate |
| Essential cookies | Without them the E-shop cannot function | Inability to use the E-shop, or limited functionality |
| Marketing cookies | Voluntary | Advertising will not be personalised |
9. Security of your personal data
We have implemented appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction or misuse, in particular:
- encrypted data transmission (HTTPS / TLS);
- secured storage and access to data restricted to authorised persons;
- regular back-ups;
- confidentiality obligations binding upon employees and processors;
- regular review of the measures in place.
In the event that, despite our measures, a breach of the protection of your personal data occurs which is likely to result in a high risk to your rights and freedoms, we shall notify you of such breach without undue delay in accordance with Article 34 GDPR.
10. Amendments to these Terms
We may update these Terms from time to time. The current version is always available on our E-shop. We shall inform you of material changes by appropriate means (e.g. by e-mail or by notice on the E-shop).
Version 1.0 — effective from the launch of the e-shop