Privacy policy
Last updated: April 14, 2026
1. Data Controller
The controller of your personal data is:
NIKKUstudio Dub 41, Starý Jičín, Nový Jičín 741 01, Czech Republic Email: support@nikku.studio
2. What Personal Data We Collect
We collect and process the following personal data when you use our store:
- Identification data: name, surname
- Contact data: email address, phone number (if provided)
- Delivery data: shipping address, billing address
- Transaction data: order history, payment status
- Technical data: IP address, browser type, device information, cookies and similar tracking technologies
We do not collect any special categories of personal data (e.g. health data, racial or ethnic origin).
3. Legal Basis for Processing (GDPR Art. 6)
| Purpose | Legal Basis |
|---|---|
| Processing and fulfilling your order | Art. 6(1)(b) — performance of a contract |
| Sending transactional emails (order confirmation, shipping) | Art. 6(1)(b) — performance of a contract |
| Compliance with legal obligations (accounting, tax records) | Art. 6(1)(c) — legal obligation |
| Marketing emails (if you opted in) | Art. 6(1)(a) — consent |
| Fraud prevention and store security | Art. 6(1)(f) — legitimate interests |
| Analytics and store improvement | Art. 6(1)(f) — legitimate interests |
4. How We Use Your Data
We use your personal data to:
- Process, fulfill, and deliver your orders
- Communicate with you about your order status
- Send marketing communications (only with your consent)
- Comply with legal and tax obligations under Czech and EU law
- Prevent fraud and ensure the security of our store
- Improve our products and services
5. Third-Party Processors
We share your data only with trusted third-party processors who are contractually bound to protect it:
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Shopify Inc. | E-commerce platform, payment processing via Shopify Payments | USA | EU Standard Contractual Clauses (SCCs) |
| Klaviyo Inc. | Email marketing platform | USA | EU Standard Contractual Clauses (SCCs) |
| Judge.me | Product reviews | USA | EU Standard Contractual Clauses (SCCs) |
We do not sell your personal data to any third parties.
6. International Data Transfers
Some of our processors are based outside the European Economic Area (EEA), specifically in the United States. These transfers are carried out in compliance with GDPR Chapter V using Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of data protection.
7. Data Retention
We retain your personal data only as long as necessary:
- Order and transaction data: 5 years from the end of the relevant tax year (Czech Act No. 586/1992 Coll. and Act No. 280/2009 Coll.)
- Customer account data: for the duration of your account, plus 3 years after last activity
- Marketing consent and communications: until you withdraw consent, plus 1 year
- Technical/analytics data: up to 26 months
8. Cookies
Our store uses cookies and similar technologies. These include:
- Strictly necessary cookies — required for the store to function (no consent needed)
- Analytical cookies — to understand how visitors use our store (require consent)
- Marketing cookies — to deliver relevant communications (require consent)
You can manage your cookie preferences at any time via our cookie consent banner or your browser settings.
9. Your Rights Under GDPR and Czech Law
As a data subject, you have the following rights under GDPR (Art. 15–22) and Czech Act No. 110/2019 Coll.:
- Right of access — request a copy of your personal data
- Right to rectification — request correction of inaccurate data
- Right to erasure ("right to be forgotten") — request deletion of your data where no legal obligation requires us to retain it
- Right to restriction of processing — request we limit how we use your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests or for direct marketing
- Right to withdraw consent — withdraw marketing consent at any time without affecting prior processing
To exercise any of these rights, contact us at: support@nikku.studio
We will respond within 30 days as required by GDPR Art. 12.
10. Right to Lodge a Complaint
If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Czech supervisory authority:
Úřad pro ochranu osobních údajů (ÚOOÚ) Pplk. Sochora 27, 170 00 Prague 7, Czech Republic Website: www.uoou.cz Email: posta@uoou.cz
11. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. Our store is hosted on Shopify's PCI DSS-compliant infrastructure.
12. Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes by email or via a notice on our store. The "Last updated" date at the top reflects the most recent revision.
13. Contact
For any questions about this privacy policy or your personal data:
NIKKUstudio Email: support@nikku.studio Dub 41, Starý Jičín, Nový Jičín 741 01, Czech Republic