Privacy policy
The Privacy Policy is here to help you understand what information we collect about you and why (hereinafter referred to as the “Policy”). If you decide to use our services, you entrust us with your personal data. We do not take this lightly and we work hard to protect your personal data and enable you to manage it.
1. INTRODUCTION
1.1. When we refer to ourselves in the first person plural as “we”, this refers to our company Dookan Technologies s.r.o., with its registered office at Sokolská třída 1263/24, Moravská Ostrava, 702 00 Ostrava, Company ID: 07262485, a company registered in the Commercial Register kept by the Regional Court in Ostrava under file no. C 74919 acting as the personal data controller (hereinafter referred to as the “Controller”).
1.2. When we refer to you in the second person plural as “You”, this refers to the customer of the Controller who has decided to use our services. This person has the status of a data subject (hereinafter referred to as the “Data Subject”).
1.3. These principles are prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”) and in accordance with Act No. 110/2019 Coll., on the processing of personal data.
1.4. Personal data is all information about an identified or identifiable natural person; an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.5. Joint Controllers. For online orders placed through our platform, Dookan Technologies s.r.o. and the relevant franchisee store operate as joint controllers under Article 26 GDPR. Dookan determines the purposes and means of data collection through the platform, while the franchisee determines the purposes and means of order fulfillment and customer service. The essence of our joint controller arrangement is that: (a) Dookan is responsible for platform security and initial data collection; (b) the franchisee is responsible for order fulfillment, payment processing; (c) both parties are responsible for responding to your data subject rights. You may exercise your rights against either Dookan or the franchisee. Contact details for the relevant franchisee will be provided in your order confirmation."
1.6. Other terms such as “special categories of personal data”, “data subject”, “processing of personal data”, “controller”, “processor”, “risk-based processing”, “automated individual decision-making including profiling” and “appropriate technical and organisational measures” have meaning and need to be interpreted in accordance with and in the context of the GDPR.
2. WHAT PERSONAL DATA DO WE PROCESS ABOUT YOU
2.1. We process the following data about you:
a. address and identification data: name and surname, date of birth, correspondence address, e-mail, telephone
b. billing and payment data: optional ID, VAT number, registered office address (if FO doing business)
c. data on communication with the Administrator.
d. Transaction and order data: order history, purchase details, payment information (processed by franchisee), delivery addresses, product preferences, and customer service communications.
2.2. In order to improve the quality of services, personalize the offer, collect anonymous data and for analytical purposes, the Administrator uses so-called cookies on its website. By checking the "I agree" option after the notice at the bottom of the website, you agree to the use of the aforementioned technology. The website can also be used in a mode that does not allow the collection of data on the behavior of website visitors; consent can be revoked at any time.
2.3. Personal data may be stored for a longer period than specified in the table below, if they are processed exclusively for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes.
3. PURPOSE AND LEGAL BASIS OF PROCESSING – PROCESSING PERIOD
Processed personal data Purpose of processing Legal reason for processing Processing period
Address and identification data Fulfillment and implementation of the contractual relationship performance from the contract; our legitimate interest for the duration of the contractual relationship; for a period of 4 years from its termination; in the event of a dispute, it is extended by the duration of the dispute
Payment and invoicing data Fulfillment and implementation of the contractual relationship, accounting performance of the contract; fulfillment of legal obligations; our legitimate interest for the duration of the contractual relationship; for a period of 10 years from the taxable performance
Data on communication with the administrator fulfillment and implementation of the contractual relationship
performance of the contract, legitimate interest for the duration of the contractual relationship; for a period of 4 years from its termination
4. PRINCIPLES OF PROCESSING PERSONAL DATA
4.1. We process personal data correctly, lawfully and transparently. This Policy informs you of the scope, content and manner in which we process your personal data.
4.2. The personal data we process are adequate, relevant and limited to the extent necessary to fulfil the stated purpose in relation to our contractual relationship.
4.3. We need your personal data to be accurate and up-to-date. If any of the data you have provided is out of date, please let us know as soon as possible so that we can correct it.
4.4. We process personal data in a manner that ensures their proper security, including their protection by means of appropriate technical or organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage.
5. RECIPIENTS OF PERSONAL DATA AND PURPOSE OF TRANSFERRING INFORMATION
5.1. We may also transfer your personal data to a third party as a recipient. However, we always do this only in justified cases. We may transfer personal data to the following recipients:
a. to processors who process your personal data according to our instructions and the relationships with which they are treated according to the requirements of Article 28 of the GDPR; for example, cooperating lawyers, providers of programs that we use to better secure and operate our services - they will have access only to the extent necessary and for the purpose of administration and technical support of the programs used;
b. to public authorities and other entities, if required by applicable law;
c. other entities in the event of an unexpected event in which the provision of data is necessary for the purpose of protecting life, health, property or other public interest or if it is necessary to protect our rights, property or safety.
d. Franchisee Partners: When you place an order through our platform, we share your personal data with the franchisee store responsible for fulfilling your order. The franchisee acts as: (i) joint controller for online order processing; (ii) processor when accessing our Shopify platform for order management; and (iii) independent controller for order fulfillment, payment processing, and customer service. Franchisees and their employees can access your order details, contact information, delivery addresses, and order history. We require franchisees to maintain appropriate security measures and process your data in accordance with applicable data protection laws.
5.2. We do not intend to transfer your personal data to a third country or international organization.
6. COOKIE POLICY
6.1. Cookies
Cookies are small files that are stored on your device and that help us collect data about your activities. In particular, cookies allow us to store your settings and preferences, provide targeted content and marketing communications, and help us understand which parts of our website are most popular and analyze its performance. Cookies can come from us (“first-party cookies”) or from third parties whose services we use (“third-party cookies”). Most browsers automatically accept cookies by default. However, you can set your browser to display cookies before they are saved or to categorically not allow them.
6.2. Details on cookie settings and related changes in the most common browsers are available here:
- Google Chrome: https://support.google.com/accounts/answer/61416?hl=en
- Internet Explorer: https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-deletemanage-cookies
- Microsoft Edge: https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy
- Mozilla Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
- Opera: http://www.opera.com/help/tutorials/security/privacy/
- Safari: https://support.apple.com/kb/PH19214?viewlocale=en_US
The administrator points out that changing the settings always applies only to the browser in question. If you use multiple browsers, you must change the settings in each of them individually. You can also delete cookies from the media memory at any time. Further information is available in the functions of your browser or operating system.
IP address
An IP address is a unique number assigned to a computer or other device communicating via the Internet Protocol. For each data transfer, you must know the IP address of the sender and recipient.
Analytical scripts
Analytical scripts are small pieces of computer code that can be used to track users and their behavior on websites. This can be basic tracking of whether a user has visited a website or advanced tracking such as adding a product to the cart, selecting a product, submitting a form, etc. Analytical scripts may provide the data obtained to a third party - the provider of the computer script.
Use of social plugins
Our websites offer the option of using social plugins from the social network Facebook. However, data is not sent automatically via the social plugin, but only by activating the social plugin - by clicking on the appropriate button. The content and scope of the data that is sent as a result of activating the social plugin is determined exclusively by the operator of the social network in question. This operator is also responsible for the protection of your personal data that it has received via the social plugin.
6.3. Types of cookies
a. Technical or functional cookies
Some cookies ensure that certain parts of the website function properly and that your user preferences remain known. By placing functional cookies, we make it easier for you to visit our website. This way, you do not have to enter the same information repeatedly when you visit our website and, for example, items remain in your shopping cart until you pay. We may place these cookies without your consent.
b. Analytical cookies
We use analytical cookies to optimize the website for our users. With these analytical cookies, we obtain information about the use of our website. We ask you for your permission to store analytical cookies.
c. Advertising cookies
We use advertising cookies on this website, which allows us to personalize advertisements for you and we (and third parties) obtain information about the results of the campaign. This is done based on the profile we create based on your clicks and surfing on and off the website. With these cookies, you as a website visitor are linked to a unique ID, so that the same advertisement is not displayed more than once, for example.
d. Marketing/Tracking Cookies
Marketing/tracking cookies are cookies or any other form of local storage that are used to create user profiles to display advertising or to track the user on this website or across multiple websites for similar marketing purposes.
Since these cookies are marked as tracking cookies, we ask you to allow them.
6.4. Cookies placed
|
Name |
Description |
Duration |
|
_ab |
Used to control when the admin bar is shown on the storefront. |
1y |
|
_abv |
Persist the collapsed state of the admin bar. |
1y |
|
_checkout_queue_token |
Used when there is a queue during the checkout process. |
1y |
|
_cmp_a |
Used for managing customer privacy settings. |
1d |
|
_identity_session |
Contains the identity session identifier of the user. |
2y |
|
_master_udr |
Permanent device identifier. |
session |
|
_pay_session |
The Rails session cookie for Shopify Pay |
session |
|
_secure_account_session_id |
Used to track a customer's session for new customer accounts. |
30d |
|
_session_id |
Used for providing reporting and analytics. |
2y |
|
_shopify_country |
Used for Plus shops where pricing currency/country is set from GeoIP by helping avoid GeoIP lookups after the first request. |
30min |
|
_shopify_essential |
Contains essential information for the correct functionality of a store such as session and checkout information and anti-tampering data. |
1y |
|
_storefront_u |
Used to facilitate updating customer account information. |
1min |
|
_tracking_consent |
Used to store a user's preferences if a merchant has set up privacy rules in the visitor's region. |
1y |
|
auth_state_<<id>> |
Stores authentication state before redirecting customers to third party for authentication. |
25min |
|
card_update_verification_id |
Used to support verification when a buyer is redirected back to Shopify after completing 3D Secure during checkout. |
20min |
|
cart |
Contains information related to the user's cart. |
2w |
|
cart_currency |
Used after a checkout is completed to initialize a new empty cart with the same currency as the one just used. |
2w |
|
cart_sig |
A hash of the contents of a cart. This is used to verify the integrity of the cart and to ensure performance of some cart operations. |
2w |
|
cart_ts |
Used in connection with checkout. |
2w |
|
checkout |
Used in connection with checkout. |
21d |
|
checkout_prefill |
Encrypts and stores URL parameters containing PII which are used in cart permalink URLs. |
5min |
|
checkout_session_lookup |
Used in connection with checkout. |
3w |
|
checkout_session_token_<<id>> |
Used when a checkout session is established on the server. |
3w |
|
checkout_token |
Captures the landing page of the visitor when they come from other sites. |
session |
|
customer_account_locale |
Used to keep track of a customer account locale when a redirection occurs from checkout or the storefront to customer accounts. |
1y |
|
customer_payment_method |
Stores what payment method is being updated for subscriptions. |
1h |
|
customer_shop_pay_agreement |
Used to help verify a new Shop Pay payment instrument. |
20min |
|
device_fp_id |
Device fingerprint identifier to help prevent fraud. |
session |
|
device_id |
Session device identifier to help prevent fraud. |
session |
|
discount_code |
Stores a discount code (received from an online store visit with a URL parameter) in order to the next checkout. |
session |
|
dynamic_checkout_shown_on_cart |
Adjusts checkout experience for buyers that proceed with regular checkout versus dynamic checkout. |
30min |
|
hide_shopify_pay_for_checkout |
Set when a buyer dismisses the Shop Pay login modal during checkout, informing display to buyer. |
session |
|
identity-state |
Stores state before redirecting customers to identity authentication. |
1d |
|
identity-state-<<id>> |
Stores state before redirecting customers to identity authentication. |
1d |
|
identity_customer_account_number |
Stores an identifier used to facilitate login across the customer's account and storefront domains. |
12w |
|
keep_alive |
Used when international domain redirection is enabled to determine if a request is the first one of a session. |
session |
|
locale_bar_accepted |
Preserves if the modal from the geolocation app was accepted. |
session |
|
locale_bar_dismissed |
Preserves if the modal from the geolocation app was dismissed. |
1d |
|
localization |
Used to localize the cart to the correct country. |
2w |
|
logged_in |
Identity logged-in hint. |
12w |
|
login_with_shop_finalize |
Used to facilitate login with Shop. |
5min |
|
master_device_id |
Permanent device identifier. |
1y |
|
order |
Used to allow access to the data of the order details page of the buyer. |
3w |
|
pay_update_intent_id |
Stores an ID of a Shop Pay billing agreement update intent, required for a callback after verifying a new Shop Pay payment instrument. |
20min |
|
preview_theme |
Used to indicate whether the theme is being previewed. |
session |
|
previous_checkout_token |
Used to prefill checkout with the details from the previous checkout. |
1y |
|
previous_step |
Used in connection with checkout. |
1y |
|
profile_preview_token |
Used for previewing checkout customizations. |
5min |
|
receive-cookie-deprecation |
A cookie specified by Google to identify certain Chrome browsers affected by the third-party cookie deprecation. More information about this cookie can be found here. |
session |
|
remember_me |
Used to prefill checkout with the details from the previous checkout. |
1y |
|
secure_customer_sig |
Used to identify a user after they sign into a shop as a customer so they do not need to log in again. |
1y |
|
shop_pay_accelerated |
Indicates if a buyer is eligible for Shop Pay accelerated checkout. |
1y |
|
shopify-editor-unconfirmed-settings |
Stores changes merchant does in the editor to update the preview. |
16h |
|
shopify_pay |
Used to log in a buyer into Shop Pay when they come back to checkout on the same store. |
1y |
|
shopify_pay_redirect |
Used to accelerate the checkout process when the buyer has a Shop Pay account. |
1y |
|
storefront_digest |
Stores a digest of the storefront password, allowing merchants to preview their storefront while it's password protected. |
1y |
|
tracked_start_checkout |
Used in connection with checkout. |
1y |
|
user |
Used in connection with Shop login. |
1y |
|
user_cross_site |
Used in connection with Shop login. |
1y |
|
wpm-domain-test |
Used to test Shopify's Web Pixel Manager with the domain to make sure everything is working correctly. |
session |
|
Reporting and Analytics |
||
|
Name |
Description |
Duration |
|
_landing_page |
Capture the landing page of visitor when they come from other sites. |
2w |
|
_orig_referrer |
Allows merchant to identify where people are visiting them from. |
2w |
|
_shopify_ga |
Contains Google Analytics parameters that enable cross-domain analytics measurement to work. |
session |
|
_shopify_s |
Used to identify a given browser session/shop combination. Duration is 30 minute rolling expiry of last use. |
30min |
|
_shopify_sa_p |
Capture the landing page of visitor when they come from other sites to support marketing analytics. |
30min |
|
_shopify_sa_t |
Capture the landing page of visitor when they come from other sites to support marketing analytics. |
30min |
|
_shopify_y |
Shopify analytics. |
1y |
|
checkout_one_experiment |
Used when a checkout is eligible to Checkout One and has been assigned to an experiment (control group or test group). |
session |
|
shop_analytics |
Contains the required buyer information for analytics in Shop. |
1y |
|
unique_interaction_id |
Used for checkout metrics. |
10min |
|
_landing_page |
Capture the landing page of visitor when they come from other sites. |
2w |
|
_orig_referrer |
Allows merchant to identify where people are visiting them from. |
2w |
|
_shopify_ga |
Contains Google Analytics parameters that enable cross-domain analytics measurement to work. |
session |
|
_shopify_s |
Used to identify a given browser session/shop combination. Duration is 30 minute rolling expiry of last use. |
30min |
|
_shopify_sa_p |
Capture the landing page of visitor when they come from other sites to support marketing analytics. |
30min |
|
_shopify_sa_t |
Capture the landing page of visitor when they come from other sites to support marketing analytics. |
30min |
|
_shopify_y |
Shopify analytics. |
1y |
|
checkout_one_experiment |
Used when a checkout is eligible to Checkout One and has been assigned to an experiment (control group or test group). |
session |
|
shop_analytics |
Contains the required buyer information for analytics in Shop. |
1y |
|
unique_interaction_id |
Used for checkout metrics. |
10min |
6.5. Manage your consent settings and delete cookies
https://nue.dookan.com/?preview_privacy_banner=1
6.6. You can use your internet browser to automatically or manually delete cookies. You can also specify that some cookies may not be placed. Another option is to change your internet browser settings so that you are notified each time a cookie is placed. For more information about these options, please refer to your browser's help.
6.7. Please note that our website may not function properly if all cookies are disabled. If you delete cookies in your browser, they will be placed again after your consent when you visit our website again.
7. CAMERA SYSTEM
7.1. The Administrator operates a camera system with recording on its premises. The purpose of processing personal data through the camera system is:
a. protection of the Administrator's property (prevention of theft and vandalism);
b. protection of the life and health of employees and customers;
c. collection of evidence in the event of emergencies;
d. obtaining material for resolving insurance claims.
7.2. The legal basis for processing personal data through the camera system is the legitimate interest of the Administrator. The Administrator has carried out a balancing test of proportionality, which has shown that the Administrator's interest in protecting property and the safety of persons outweighs the interest of data subjects in protecting privacy, given the measures taken to minimize interference with the rights of data subjects.
7.3. The camera system monitors the following premises:
a. cash registers;
b. sales area;
c. entrances to the Administrator's premises;
d. parking area immediately adjacent to the store.
7.4. Personal data is processed through the camera system in the form and image information about the behavior and actions of the recorded persons.
7.5. Recordings from the camera system are stored for 30 days, unless they are needed to resolve an emergency. In the event of an incident, the relevant recordings may be stored for the period necessary to resolve the situation.
7.6. Access to recordings from the camera system is limited to authorized persons only. The recordings are secured against unauthorized access (location in a lockable area, password-protected access, data encryption).
7.7. Recordings from the camera system may be transferred to the following recipients:
a. to law enforcement agencies in the event of an illegal act being detected;
b. insurance companies when resolving insurance claims;
c. other entities, if so provided by law.
7.8. The data subject has the following rights in relation to the recording from the camera system:
a. the right to access the recording that captures his person (provided that such recording exists and is traceable based on the time data provided by the data subject);
b. the right to object to processing;
c. other rights specified in point 8 of these Principles.
7.9. Before entering the monitored premises, information boards containing information about the monitoring of the premises by the camera system, the identification of the Administrator and a reference to these Personal Data Protection Principles are placed.
7.10. Franchisee stores operate camera systems with recording on their premises as independent data controllers. Dookan may request limited access to CCTV footage only in specific circumstances:
-
security incidents,
-
customer complaints,
-
suspected breaches of contract, or
-
to obtain anonymized operational metrics.
Dookan does not have live monitoring access or continuous access to CCTV systems. For questions about CCTV processing in a franchisee store, please contact the store directly. Contact information is available in your order confirmation or on the franchisee's premises.
8. YOUR RIGHTS
8.1. Your rights are an important element of personal data protection. If you assert any of your rights listed below, we will provide you with information about the measures taken without undue delay and in any case within one month of receiving your request. We may extend this period by up to two months in exceptional cases. We will inform you of the extension of the period and the reason for the extension.
8.2. Your personal data are processed automatically in electronic form.
8.3. You have the right to:
a. be informed about the processing of your personal data
We will provide you with information about the processing of your personal data through this Policy.
b. to access your personal data
If you request it, you will receive information from us (confirmation) as to whether or not your personal data is being processed. If it is being processed, you have the right to obtain the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed; the planned period for which the personal data will be stored; the existence of the right to request that we correct or erase your personal data; the right to object; the right to lodge a complaint with a supervisory authority; all available information about the source of the personal data, unless it is obtained from you; the fact that automated decision-making, including profiling, is taking place. You can find most of this information from this Policy, but if you wish, you can also ask about the above.
c. to correct or supplement
If you know or believe that we are processing your inaccurate personal data, please inform us and we will correct it. If you would like to supplement any incomplete personal data taking into account the purpose of the processing, please inform us and we will also correct it.
d. to erase
This right of yours obliges us to destroy your personal data in accordance with Article 17(1) of the GDPR if at least one of the following conditions is met:
-
the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
-
you withdraw your consent and there is no other legal ground for the processing;
-
you object to the processing and there are no overriding legitimate grounds for the processing;
-
the personal data have been processed unlawfully;
-
the personal data must be erased for compliance with a legal obligation;
-
the personal data have been collected in connection with the offering of information society services pursuant to Article 8(1) of the GDPR;
and at the same time, none of the exceptions listed in Article 17(3) of the GDPR can be applied.
e. to restrict processing
Within the framework of this right, you have the right to ask us to restrict the processing of your personal data. If the conditions under Article 18(1) of the GDPR are met, we must do so.
f. to data portability
As a data subject, you have the right to obtain, in particular, download, your personal data from us in a structured, commonly used and machine-readable format and you also have the right to have your personal data directly provided by us to another controller.
g. to raise an objection
In some cases, you have the opportunity to raise a so-called objection to processing. This mainly concerns situations where you did not have the opportunity to influence the fact that your data is processed, and at the same time it is not a matter of fulfilling a legal obligation or a vital interest, when this impossibility is defensible. You have the opportunity to raise three types of objections to processing. These are objections to:
processing based on the legal basis of legitimate interest and the performance of a task carried out in the public interest or in the exercise of official authority;
processing for direct marketing purposes based on the legal basis of legitimate interest;
processing for scientific or historical research purposes or for statistical purposes.
If an objection is raised, we will no longer process the data unless we demonstrate compelling legitimate grounds for the processing which override your interests or rights and freedoms, or for the establishment, exercise or defence of legal claims.
If an objection is raised to the processing of personal data for direct marketing or profiling purposes, we must stop processing the personal data.
h. not to be subject to automated individual decision-making, including profiling
Our processing of your personal data never involves automated individual decision-making, including on the basis of profiling.
i. withdraw consent to the processing of personal data, if the processing is based on consent
You can withdraw your consent to the processing of your personal data, which we process on the basis of this consent, at any time.
j. obtain information about a breach of the security of your personal data
If there is a likelihood that a high risk to your rights and freedoms will arise as a result of a breach of our security, we will notify you without undue delay.
k. file a complaint with a supervisory authority
Exercising Rights in Joint Controller Situations. Where Dookan and a franchisee act as joint controllers (online orders), you may exercise your rights against either party. If you contact Dookan regarding data held by a franchisee (such as CCTV footage or offline order records), we will coordinate with the franchisee to respond to your request within the legal timeframe. We will inform you which party is handling your request and provide appropriate contact details."
If you have the impression that we are violating our obligations when processing your personal data, you have the right to file a complaint with the Office for Personal Data Protection, with its registered office at Pplk. Sochora 27, 170 00 Prague 7; e-mail: posta@uoou.cz; www: https://www.uoou.cz; tel.: +420 234 665 111.
9. OUR CONTACT DETAILS
9.1. If you would like to contact us in connection with the processing of your personal data, please contact the following contacts:
a. in writing to the registered office address: Sokolská třída 1263/24, Moravská Ostrava, 702 00 Ostrava
b. by e-mail to our e-mail address: SUPPORT@DOOKAN.COM
THESE PRIVACY POLICY COME INTO FORCE AND EFFECTIVE ON THE DAY 1.5.2025
Dookan Technologies s.r.o.