Privacy Policy
of Carolina Biosystems, s.r.o.,
with its registered office at Drnovská 1112/60, 161 00 Prague 6, Czech Republic,
Company ID No.: 28177002, VAT ID No.: CZ28177002,
registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, File No. 130814,
e-mail: info@carolinabiosystems.com, telephone: +420 226 203 532,
for the website and e-shop located at
https://www.carolinabiosystems.cz.
1. Introductory Information
1.1. This Privacy Policy explains how Carolina Biosystems, s.r.o. processes the personal data of customers, registered users, newsletter subscribers and visitors to the website https://www.carolinabiosystems.cz.
1.2. We process personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, the General Data Protection Regulation (“GDPR”), Act No. 110/2019 Coll., on the Processing of Personal Data, Act No. 480/2004 Coll., on Certain Information Society Services, and other applicable legal regulations.
1.3. This Privacy Policy applies in particular to the processing of personal data in connection with: a) visiting the website,
b) creating and using a customer account,
c) ordering goods through the e-shop,
d) ordering goods by e-mail,
e) processing orders, payments, invoicing and delivery of goods,
f) handling complaints or other customer requests,
g) sending commercial communications and newsletters,
h) using analytical, security and technical tools on the website.
1.4. Separate information on the use of cookies and similar technologies is provided in the Cookie Policy.
2. Who Is the Data Controller
2.1. The data controller is:
Carolina Biosystems, s.r.o.
Drnovská 1112/60
161 00 Prague 6
Czech Republic
Company ID No.: 28177002
VAT ID No.: CZ28177002
registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, File No. 130814
2.2. Contact details of the controller:
E-mail: info@carolinabiosystems.com
Telephone: +420 226 203 532
Website: https://www.carolinabiosystems.cz
2.3. The controller has not appointed a Data Protection Officer.
3. What Personal Data We Process
3.1. We mainly process personal data that you provide to us when placing an order, registering, using a customer account, communicating with us or subscribing to the newsletter.
3.2. In connection with orders and the customer account, we may process in particular: a) first name and surname,
b) company name,
c) company ID number and VAT ID number,
d) billing address,
e) delivery address,
f) e-mail address,
g) telephone number,
h) order note,
i) information about ordered goods,
j) order history,
k) payment and invoicing data,
l) data related to shipment delivery,
m) data related to complaints, order cancellation or customer communication.
3.3. In connection with the newsletter, we may process in particular: a) e-mail address,
b) first name,
c) company name,
d) language preference,
e) information about subscription or unsubscription,
f) data on newsletter openings and link clicks, if tracked by the newsletter tool.
3.4. In connection with the operation of the website and e-shop, we may also process technical data, in particular: a) IP address,
b) cookie identifiers and similar technology identifiers,
c) data about the device and browser,
d) data about website visits,
e) data stored in server logs,
f) data processed by security and anti-spam tools.
3.5. We do not process special categories of personal data within the meaning of the GDPR, such as health data, biometric data or data concerning religious beliefs.
4. For What Purposes We Process Personal Data
4.1. We process personal data mainly for the following purposes:
4.1.1. Processing Orders and Performing the Purchase Contract
We process personal data for the purpose of receiving, confirming and processing an order, delivering goods, communicating with the customer, issuing an invoice, handling payments, possible order cancellation, complaints or other requests related to the order.
The legal basis is the performance of a contract or taking steps prior to entering into a contract pursuant to Article 6(1)(b) GDPR.
4.1.2. Customer Account
We process personal data for the purpose of creating and managing a customer account, enabling login, displaying order history and simplifying future purchases.
The legal basis is the performance of a contract or taking steps prior to entering into a contract pursuant to Article 6(1)(b) GDPR.
4.1.3. Compliance with Legal Obligations
We also process personal data in order to comply with obligations arising from legal regulations, in particular accounting, tax, archiving and record-keeping regulations.
The legal basis is compliance with a legal obligation pursuant to Article 6(1)(c) GDPR.
4.1.4. Protection of Legal Claims and Legitimate Interests
We may process personal data for the purpose of protecting our rights, recovering receivables, resolving disputes, proving legal facts, preventing misuse of the e-shop and ensuring website security.
The legal basis is the legitimate interest of the controller pursuant to Article 6(1)(f) GDPR.
4.1.5. Sending Commercial Communications and Newsletters
If you subscribe to the newsletter, we process your personal data for the purpose of sending news, commercial communications, product information, professional materials and other communications related to our activities.
The legal basis is your consent pursuant to Article 6(1)(a) GDPR.
If a customer provides us with their e-mail address in connection with a purchase, we may use it to send commercial communications concerning similar products or services. The customer may opt out of receiving commercial communications at any time, either via the link in each commercial communication or by contacting the controller.
The legal basis is the legitimate interest of the controller pursuant to Article 6(1)(f) GDPR in conjunction with Section 7(3) of Act No. 480/2004 Coll.
4.1.6. Website Traffic Analytics
To measure website traffic and improve the website, we use Google Analytics 4 through Google Tag Manager. We use analytical tools only in connection with consent granted by the user, where such consent is required by law.
The legal basis is consent pursuant to Article 6(1)(a) GDPR.
4.1.7. Website Security and Spam Protection
To protect the website and e-shop against spam, automated misuse and security attacks, we use technical and security measures, including Google reCAPTCHA, firewall, anti-DDoS protection and server logs.
The legal basis is the legitimate interest of the controller pursuant to Article 6(1)(f) GDPR, namely ensuring website security, protection against misuse and protection of customer data.
5. Customer Account
5.1. If you create a customer account, we store data necessary for account management and order processing. Order history is also available in the customer account.
5.2. We retain data in the customer account for the duration of the registration. The customer may request cancellation of the account. Data that we are required to retain in order to comply with legal obligations or protect our legal claims may be retained even after account cancellation for the period stipulated by law or for the necessary period.
5.3. The customer is obliged to protect access credentials to their account against misuse and not to disclose them to third parties.
6. Orders, Invoicing and Delivery of Goods
6.1. When placing an order, we process data necessary for processing the order, confirming the order, issuing accounting and tax documents, delivering goods and any subsequent communication.
6.2. Orders may be placed through the e-shop or by e-mail. In the case of an e-mail order, we process the data included in the e-mail communication, in particular identification and contact details, data about the ordered goods and billing or delivery details.
6.3. Invoicing and accounting data are processed in the Pohoda accounting system. The e-shop is connected to the accounting system by manual data export.
6.4. For shipment delivery, we transfer the necessary personal data to carriers and logistics partners. These data include in particular first name and surname or company name, delivery address, e-mail address, telephone number and information required for shipment transport, such as information on special transport conditions, dry ice or shipment value.
6.5. Carriers may include in particular: a) PPL,
b) DHL,
c) FedEx,
d) UPS,
e) DPD,
or other carriers or logistics partners selected according to the nature of the goods and the requirements for their transport.
7. Payments
7.1. We currently process payments mainly on the basis of an invoice.
7.2. If an online payment gateway is introduced in the future, the data necessary to make the payment will be processed by the relevant payment gateway provider. We will not store payment card data directly in our e-shop unless expressly stated otherwise.
7.3. If a new payment method is introduced, this Privacy Policy will be updated accordingly.
8. Newsletter and Commercial Communications
8.1. We use Mailchimp to send newsletters and commercial communications.
8.2. You may subscribe to the newsletter in particular: a) by ticking the relevant box when placing an order,
b) by entering your e-mail address in the website footer.
8.3. For the newsletter, we process in particular your e-mail address, first name, company name and language preference.
8.4. Within the newsletter tool, we may track e-mail openings and link clicks in order to evaluate the effectiveness of mailings and adapt the content of communications to recipients’ interests.
8.5. You may unsubscribe from the newsletter or commercial communications at any time via the link included in each commercial communication or by contacting us at info@carolinabiosystems.com.
8.6. Subscription to the newsletter is not a condition for making a purchase.
8.7. For the Mailchimp service, we have accepted the data processing terms / Data Processing Addendum. In connection with the provision of the service, Mailchimp may process personal data outside the European Union or the European Economic Area using the relevant legal mechanisms for data transfers.
9. Analytics, Cookies and Similar Technologies
9.1. We use cookies and similar technologies on the website. Cookies may be divided according to their purpose in particular into necessary, preference, statistical and marketing cookies.
9.2. Necessary cookies are required for the proper functioning of the website and e-shop, for example for website navigation, shopping cart functionality, user login, customer account, secure sections of the website or storing cookie bar settings. The website cannot function properly without these cookies.
9.3. Preference cookies allow the website to remember information that affects how the website behaves or looks, for example the preferred product display settings.
9.4. Statistical cookies help us understand how visitors use the website, measure website traffic and improve the functioning of the website.
9.5. Marketing cookies may be used to track visitors on the website and to display relevant advertising or evaluate marketing campaigns. We use marketing cookies only if they are active on the website and if the user has given consent to them.
9.6. Preference, statistical and marketing cookies and similar technologies are used only on the basis of the user’s consent, where such consent is required by law.
9.7. To measure website traffic, we use Google Analytics 4 through Google Tag Manager. Google Analytics 4 is configured with Consent Mode and data anonymization. User-level data are retained in Google Analytics for up to 14 months; aggregated overviews and reports may be available for the duration of the Google Analytics 4 service.
9.8. A detailed list of cookies used, their purposes, categories and retention periods is provided in the separate Cookie Policy.
10. Website Security, reCAPTCHA and Server Logs
10.1. In order to protect the website, e-shop, customer accounts, orders and related data, we use technical and organizational security measures.
10.2. The website uses Google reCAPTCHA as protection against spam, automated misuse and malicious activities. Google reCAPTCHA may be deployed in particular where the user enters or submits data, for example during registration, login, ordering, newsletter subscription or other website elements that require protection against misuse.
10.3. In connection with the use of Google reCAPTCHA, technical data may be processed, such as IP address, device and browser information and website behavior, and such data may be transferred to Google.
10.4. A firewall and anti-DDoS protection are used on the server side.
10.5. IP addresses and technical data about access to the website may be stored in server logs for the necessary period, normally approximately 30 days, for the purpose of ensuring the security, stability and proper functioning of the website.
11. To Whom We Disclose Personal Data
11.1. We disclose personal data only to the extent necessary to ensure the purposes described above.
11.2. Personal data may be disclosed in particular to the following categories of recipients: a) the website/e-shop operator and administrator,
b) hosting and server infrastructure providers,
c) accountant or accounting system,
d) carriers and logistics partners,
e) newsletter tool provider,
f) providers of analytical, security and technical tools,
g) IT support providers,
h) public authorities, where such obligation is imposed on us by law,
i) legal, tax or other professional advisors, where necessary to protect our rights.
11.3. The website operator and administrator is:
BEST FOR NET s.r.o.
Na Laurové 2519/3
150 00 Prague 5 – Smíchov
Company ID No.: 24826855
VAT ID No.: CZ24826855
11.4. The website and e-shop data are stored in the Czech Republic in the VSHosting data center, Sodomkova 1579/5, 102 00 Prague 10 – Hostivař. Hosting and related technical services are provided through the website operator.
11.5. The website operator has access to personal data only to the extent necessary for the provision of its services and in accordance with our instructions.
12. Transfers of Personal Data Outside the EU/EEA
12.1. Some services we use may involve transfers of personal data outside the European Union or the European Economic Area.
12.2. This may include, in particular, services provided by Google and Mailchimp.
12.3. Transfers of personal data outside the EU/EEA take place only if the conditions under the GDPR are met, in particular if the relevant recipient participates in an appropriate data transfer mechanism, if an adequacy decision exists, if standard contractual clauses are used or if another legal mechanism under the GDPR is applied.
12.4. Mailchimp states in its terms that it uses mechanisms for the transfer of European personal data, including the Data Processing Addendum and standard contractual clauses. Google and other providers may use their own legal mechanisms for transfers of data outside the EU/EEA.
13. How Long We Retain Personal Data
13.1. We retain personal data only for the period necessary for the purposes for which they were obtained, or for the period stipulated by legal regulations.
13.2. Data related to an order are retained for the period necessary to perform the contract and subsequently for the period necessary to comply with legal obligations and protect our legal claims.
13.3. Accounting and tax documents are retained for the period stipulated by applicable legal regulations.
13.4. We retain data in the customer account for the duration of the registration. The customer may request cancellation of the account. Data that we are required to retain in order to comply with legal obligations or protect our legal claims may be retained even after account cancellation for the period stipulated by law or for the necessary period.
13.5. Data processed for sending newsletters are retained for the duration of the subscription or until consent is withdrawn, the subscription is cancelled or an objection to receiving commercial communications is raised.
13.6. Server logs containing IP addresses are retained for the necessary period, normally approximately 30 days.
13.7. User-level data in Google Analytics 4 are retained for up to 14 months. Aggregated overviews and reports may be available for the duration of the Google Analytics 4 service.
13.8. The retention periods of individual cookies are provided in the separate Cookie Policy.
14. Your Rights
14.1. In connection with the processing of personal data, you have, under the conditions set out in the GDPR, in particular the following rights: a) the right of access to personal data,
b) the right to rectification of inaccurate or incomplete data,
c) the right to erasure of personal data,
d) the right to restriction of processing,
e) the right to data portability,
f) the right to object to processing,
g) the right to withdraw consent where processing is based on consent,
h) the right to lodge a complaint with a supervisory authority.
14.2. If we process personal data on the basis of consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.
14.3. If we process personal data on the basis of legitimate interest, you have the right to object to such processing.
14.4. If you do not wish to receive commercial communications, you may unsubscribe at any time via the link in each commercial communication or contact us at info@carolinabiosystems.com.
14.5. You may exercise your rights by e-mail at info@carolinabiosystems.com or in writing at the registered office address of the controller.
15. Handling Requests
15.1. We respond to requests concerning personal data without undue delay, usually no later than within one month of receiving them.
15.2. In the case of more complex or numerous requests, the deadline may be extended in accordance with the GDPR.
15.3. When handling a request, we may ask for verification of the applicant’s identity if this is necessary to protect personal data.
16. Right to Lodge a Complaint
16.1. If you believe that we process your personal data in breach of legal regulations, you may contact us at info@carolinabiosystems.com.
16.2. You also have the right to lodge a complaint with the supervisory authority:
Office for Personal Data Protection
Pplk. Sochora 27
170 00 Prague 7
website: https://www.uoou.gov.cz
17. Automated Decision-Making and Profiling
17.1. No automated individual decision-making takes place in the processing of personal data that would have legal effects concerning you or similarly significantly affect you.
17.2. Within the newsletter or analytical tools, basic evaluation of interest in content may take place, for example based on e-mail openings, link clicks or website traffic. This evaluation serves to improve content and communication and has no legal or similarly significant effects on users.
18. Security of Personal Data
18.1. We adopt appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration or destruction.
18.2. These measures include, in particular, access restrictions, management of user permissions, server security, firewall, anti-DDoS protection, use of security tools, backups and control of access by persons who work with the data.
18.3. We make personal data available only to persons who need them to perform their work or contractual duties.
19. Changes to This Privacy Policy
19.1. We may update this Privacy Policy from time to time, in particular in the event of changes to the website, e-shop, services used, legal regulations or the method of processing personal data.
19.2. The current version of the Privacy Policy will always be available on the website https://www.carolinabiosystems.cz.
19.3. This Privacy Policy is effective from 10 July 2026.
In Prague on 9 July 2026