Privacy Policy

Effective as of the 12th. 7. 2026

Information pursuant to Articles 12 through 14 of the GDPR regarding the processing of personal data on the Tommy Needle website and in the Tommy Needle online store.

1. Operator and Contact Information

The controller of personal data is:

Tommy The Needle, LLC

Address: Čermeľské údolie 6, 040 01 Košice

Company ID: 48 169 391

Tax ID: 2120071910

VAT reg. no.: SK2120071910

Registered in the Commercial Register of the Košice Municipal Court, Section: Sro, File No. 37386/V

Email: tommyneedle@tommyneedle.sk

Phone: +421 905 690 734

Website: https://www.tommyneedle.sk

The controller has not appointed a data protection officer. You may send questions and requests regarding the processing of personal data to the email or mailing address listed above.

2. Scope of These Terms and Conditions

These terms explain how we process the personal data of website visitors, online store customers, registered users, business partners, individuals who communicate with us via email, phone, contact form, or online chat, and individuals whose data is included in materials provided by customers for product customization.

When processing personal data, we comply primarily with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), Act No. 18/2018 Coll. on the Protection of Personal Data, and the relevant legal regulations of the Slovak Republic.

3. What personal data do we process, and where do we obtain it from?

Depending on how you communicate with us or use our services, we may process the following categories of personal data in particular:

  • identification information – first name, last name, business name, company ID number, tax ID number, and VAT ID number;
  • contact information – address, shipping and billing addresses, email address, and phone number;
  • order and contract details – goods or services ordered, quantity, price, shipping method, order status, complaints, cancellations, and related communication;
  • payment details – selected payment method, payment status, amount, variable symbol, and transaction ID; we do not process payment card details directly; they are entered in the payment service provider’s secure environment;
  • customer account information—username, email address, order history, and account settings;
  • information needed for customization—name, date, custom text, photo, logo, graphic design, dimensions, color scheme, and other materials provided for embroidery, printing, or other custom production;
  • communication data – the content of emails, online chat messages, contact forms, telephone inquiries, and attachments;
  • technical data – IP address, device and browser identifiers, server logs, information about website visits, cookies, and data regarding consent granted or denied;
  • marketing preferences – consent to receive the newsletter, cookie bar settings, and information regarding unsubscribing from marketing communications.

We collect personal data primarily directly from you. To the extent necessary, we may also obtain it from the person who placed the order on your behalf, from your employer or business partner, from payment and delivery service providers, or from publicly available registries.

4. Purposes and Legal Bases for Processing

We process personal data only for specific purposes and on the basis of the relevant legal basis under Article 6 of the GDPR:

PurposeLegal Basis
Processing Inquiries and Preparing Price QuotesTaking steps at your request prior to entering into a contract; Article 6(1)(b) of the GDPR
Order processing, manufacturing, customization, delivery of goods, and provision of servicesperformance of a contract; Article 6(1)(b) of the GDPR
Payments, Billing, Accounting, and Tax Obligationsperformance of a contract and compliance with legal obligations; Article 6(1)(b) and (c) of the GDPR
Claims, Cancellations, Complaints, and Customer Supportperformance of a contract, compliance with a legal obligation, and the protection of legal claims; Article 6(1)(b), (c), and (f) of the GDPR
Customer Account and Order Historyperformance of a contract or a legitimate interest in the convenient provision of services and account management; Article 6(1)(b) or (f) of the GDPR
Website Protection, Fraud Prevention, Security, and Technical Incident Responselegitimate interest in protecting the property, systems, data, and rights of the controller and users; Article 6(1)(f) of the GDPR
Newsletter and Marketing Communicationsyour consent; Article 6(1)(a) of the GDPR, or, where applicable, legitimate interests and the rules governing direct marketing to existing customers, if permitted by law and always with the option to easily opt out
Statistical and analytical measurement, personalization, and marketing technologiesyour consent given via the cookie banner; Article 6(1)(a) of the GDPR
Establishing, asserting, or defending legal claimslegitimate interest; Article 6(1)(f) of the GDPR

If we process data based on a legitimate interest, we always assess whether your rights and freedoms outweigh our interest. You may object to such processing.

5. Personalized Products and Other People’s Data

For custom orders, the customer may provide another person’s information, such as a child’s name, date of baptism, a photograph, an employee’s name, or the contact information of the person authorized to receive the shipment. We use this information solely to fulfill the order and for related communication.

The person who provides us with another person’s data is responsible for ensuring that they are authorized to do so and that they have appropriately informed the data subject. We process children’s data only to the extent necessary to personalize the ordered product; the order must be placed by an adult or a person authorized to act on behalf of the child.

Please do not send us any sensitive personal information that is not necessary to fulfill your order.

6. Obligation to Provide Data

Providing the information marked as required is a contractual or legal requirement. Without this information, we generally cannot prepare a quote, enter into and fulfill a contract, issue an invoice, deliver an order, or process a complaint.

Providing data for marketing purposes and consenting to the use of analytics or marketing cookies is voluntary and does not affect your ability to make a purchase.

7. Recipients of Personal Data

We share personal data only to the extent necessary with trusted partners who help us operate our online store and fulfill orders. These may include, in particular:

  • the provider of web hosting and technical website management, in particular Websupport, s.r.o.;
  • providers of e-commerce platforms and plugins, particularly WordPress and WooCommerce;
  • the payment gateway provider Besteron a.s.; when processing payments, Besteron also processes data as an independent data controller in accordance with its own privacy policy;
  • carriers and pickup locations, in particular Direct Parcel Distribution SK s.r.o. (DPD); when providing courier services, DPD acts as an independent operator;
  • the provider of the SuperFaktúra invoicing system and the accounting firm Libertax s.r.o.;
  • Tidio, a provider of online chat and customer communication services;
  • providers of analytics and advertising services, in particular Google Ireland Limited, if you have given the appropriate consent;
  • providers of email, cloud, security, and IT services;
  • lawyers, accountants, auditors, insurance companies, banks, and other professional advisors, as needed;
  • public authorities and other authorized entities, if we are required to do so by law or if it is necessary to protect legal claims.

Processors process personal data in accordance with our instructions and based on contractual and security obligations. Independent controllers determine their own purposes and conditions for processing within the scope of their services.

8. Transfers of Personal Data Outside the European Economic Area

Some technology providers, particularly Google or Tidio, may process personal data outside the European Economic Area or allow access to the data from abroad.

Such transfers take place only if the conditions set forth in Chapter V of the GDPR are met, in particular on the basis of a European Commission adequacy decision, the recipient’s participation in a valid EU–U.S. data protection framework, the European Commission’s standard contractual clauses, or other appropriate safeguards. Further information can be obtained from the relevant provider or, upon request, from the controller.

9. Retention Period for Personal Data

We retain data only for as long as necessary for the purpose for which it was collected, and subsequently for the periods required by law or necessary to protect legal claims. As a general rule, the following retention periods apply:

  • inquiries and price quotes that did not result in an order—up to 2 years from the last communication;
  • orders, contractual communications, and data necessary to demonstrate compliance with the contract—for the duration of the contract and subsequently for the applicable statutory limitation periods;
  • accounting and tax documents—10 years following the year to which they relate, unless a legal regulation requires a longer period;
  • claims, withdrawals, and complaints—during the processing period and, as a rule, for 3 years after their resolution; in the case of an ongoing dispute, until the final resolution and settlement of the claims;
  • customer account – for as long as it exists; we may delete an inactive account after 3 years of inactivity, provided there is no reason to continue retaining the data;
  • graphic and production files for personalized orders—typically 5 years from the last related order, so that we can handle repeat production or a warranty claim; Upon request, we will delete them earlier, provided that we are not prevented from doing so by a legal obligation or the protection of legal claims;
  • online chat and customer communications – generally 2 years from the date the request was closed;
  • newsletter – until consent is revoked or the subscriber unsubscribes; we may retain a record of the unsubscription for the purpose of demonstrating that no further messages should be sent;
  • server and security logs – generally for a maximum of 12 months, unless a security incident or legal claim warrants longer retention;
  • cookies and analytical data – for the period specified in the cookie bar settings and the terms and conditions of the specific provider.

10. Cookies and Similar Technologies

This website uses cookies and similar technologies. Strictly necessary cookies are used to enable the shopping cart, checkout, login, security, and to save your consent preferences. Consent is not required for their use, as they are necessary to provide the service you have requested.

We use preference, statistical, and marketing cookies only with your verifiable consent. You can change or withdraw your consent at any time by clicking the “Manage Consent” link or through the cookie bar settings. Withdrawing your consent does not affect the lawfulness of processing that took place before you withdrew it.

The current list of cookies used, their providers, purposes, and expiration dates is available directly in the cookie bar settings on the website.

11. Automated Decision-Making and Profiling

We do not engage in automated individual decision-making that would produce legal effects on you or similarly significantly affect you.

If you consent to the use of analytics or marketing technologies, the providers of these services may analyze website usage and create marketing segments. You can control this processing via the cookie bar.

12. Your Rights

Under the terms of the GDPR, you have the following rights, in particular:

  • to obtain confirmation as to whether we are processing your personal data, and the right to access it;
  • request the correction of inaccurate information or the completion of incomplete information;
  • request the erasure of personal data if the legal conditions are met;
  • request restriction of processing;
  • to obtain data in a portable format and transfer it to another controller, provided that the legal conditions are met;
  • object to processing based on legitimate interests; you may object to processing for direct marketing purposes at any time;
  • withdraw consent at any time if the processing is based on consent;
  • file a complaint with the supervisory authority or take the matter to court.

You can send your request by email to tommyneedle@tommyneedle.sk or by mail to our registered office address. We will respond to your request without undue delay, usually within one month. If we have reasonable doubts about the applicant’s identity, we may request appropriate verification of identity.

The supervisory authority is the Office for Personal Data Protection of the Slovak Republic, website: https://dataprotection.gov.sk.

13. Protection of Personal Data

We take appropriate technical and organizational measures to protect personal data from unauthorized access, loss, misuse, alteration, or disclosure. Access to the data is limited to individuals who need it to fulfill their job or contractual obligations and who are bound by confidentiality obligations.

We continuously adapt our security measures to the nature of the data processing, technological developments, and the relevant risks.

14. Final Provisions

These terms and conditions are for informational purposes only. General consent to these terms and conditions is not required for the processing of data necessary to fulfill an order. We require separate consent only where consent is the applicable legal basis, particularly for the newsletter and optional cookies.

We may update these terms and conditions, particularly in the event of changes to applicable laws, the services we provide, or our data processing methods. The current version will always be posted on our website.

These terms and conditions take effect on the 12th. 7. 2026.