Effective from: 1 May 2026

1. Data Controller

The data controller for personal data collected through the online store fcosme.com is Herb-Pharma s.r.o., náměstí Smiřických 38, 281 63 Kostelec nad Černými lesy, Czech Republic (Company No.: 175 34 909, VAT No.: CZ 175 34 909).

Contact: home@herb-pharma.com

The processing of personal data is governed by EU Regulation 2016/679 (GDPR) and Act No. 110/2019 Coll. on the processing of personal data.

2. What Personal Data We Process and Why

Order fulfilment

Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

When you place an order, we process: first and last name, delivery address, email address, phone number, and order history. This data is necessary to deliver your order and communicate with you about it.

Retention period: for the duration of the statutory warranty period (2 years from receipt of goods), or until all claims related to the order are resolved.

Accounting and tax obligations

Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).

Billing and payment data is retained for 10 years in accordance with Czech accounting legislation. Accounting is handled by our external provider V-inform s.r.o., Pražská 578, 281 63 Kostelec nad Černými lesy, Czech Republic (Company No.: 46349766).

Customer account

Legal basis: performance of a contract / legitimate interest (Art. 6(1)(b) and (f) GDPR).

If you create a customer account, we process your email address, login credentials, delivery address, phone number, and order history. You can delete your account at any time by contacting us at home@herb-pharma.com.

Newsletter and marketing communications

Legal basis: consent (Art. 6(1)(a) GDPR).

If you subscribe to our newsletter, we process your email address for the purpose of sending commercial communications. You may withdraw your consent at any time by clicking the "unsubscribe" link in any email or by contacting us at home@herb-pharma.com. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

Contact form

Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

When you use the contact form, we process your name and email address solely for the purpose of responding to your enquiry. Data is not retained longer than necessary to handle your request.

Analytics and marketing tools

Legal basis: consent (Art. 6(1)(a) GDPR) – activated only after your consent via the cookie banner.

We use the following tools on our website:

• Google Analytics 4 – website traffic analysis tool (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). Processes anonymised visitor behaviour data. Data may be transferred to servers in the USA. More information: policies.google.com/privacy
• Meta Pixel – advertising tool by Meta Platforms Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland) for measuring the effectiveness of ads on Facebook and Instagram. Data may be transferred to servers in the USA. More information: facebook.com/privacy/policy
• TikTok Pixel – advertising and analytics tool by TikTok Technology Limited (10 Earlsfort Terrace, Dublin 2, D02 T380, Ireland). Activated only after your consent. Data may be transferred outside the EU. More information: tiktok.com/legal/privacy-policy. (Applies only if TikTok Pixel is actively deployed on the site.)

3. Who We Share Your Data With

We share your personal data exclusively with partners necessary to fulfil your order:

• DEXTRUM Fulfillment, a.s. – handles warehousing, packing, and dispatch of goods (Kirilovova 181, 739 21 Paskov, Czech Republic).
• Carriers – Packeta and GLS, including their local delivery partners (e.g. InPost, Poczta Polska, DPD, FoxPost), for the purpose of delivering your parcel. The specific carrier depends on your country.
• Shopify International Limited – operator of the e-commerce platform (2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland). Shopify operates the store technically; fcosme.com is currently hosted on servers in Canada.
• Shopify International Limited – newsletter emails are sent using Shopify's native system. Email addresses of subscribed customers are processed within this platform.
• Stripe Technology Europe Limited – payment processing provider (1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, D02 H210, Ireland). Stripe handles online payment transactions within Shopify Payments.
• BaseLinker sp. z o.o. – integration platform connecting the online store with the warehouse system (ul. Piastowska 7/3, 50-067 Wrocław, Poland). Order data (name, address, order details) passes through BaseLinker for handover to DEXTRUM for fulfilment.
• V-inform s.r.o. – external accounting firm handling our bookkeeping (Pražská 578, 281 63 Kostelec nad Černými lesy, Czech Republic, Company No.: 46349766). Processes billing data for statutory accounting purposes.
• Cookiebot (Usercentrics A/S) – cookie consent management tool (Havnegade 39, 1058 Copenhagen, Denmark).

We do not sell your data to third parties for marketing purposes.

4. Transfers of Data Outside the EU

Some of our partners transfer data outside the European Union: Shopify (servers in Canada), Google Analytics and Meta Pixel (servers in the USA), TikTok Pixel (if active; servers outside the EU). Canada has been granted an adequacy decision by the European Commission. Transfers to the USA are secured by standard contractual clauses approved by the European Commission in accordance with Art. 46 GDPR.

5. Your Rights

In relation to the processing of your personal data, you have the following rights:

• Right of access – you may request information about what data we hold about you.
• Right to rectification – you may request correction of inaccurate data.
• Right to erasure – you may request deletion of your data where the purpose for processing has ceased and no other legal basis applies.
• Right to data portability – you may request your data in a structured, machine-readable format.
• Right to object – you may object to processing based on legitimate interest.
• Right to withdraw consent – where processing is based on consent, you may withdraw it at any time.

To exercise your rights, contact us at: home@herb-pharma.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz.

6. Cookies

Our website uses cookies. We manage them through Cookiebot, which allows you to grant or withdraw consent for individual cookie categories:

• Necessary – essential for the website to function; always active.
• Preferences – remember your settings (e.g. language, country).
• Statistics – analytical cookies (Google Analytics) to understand visitor behaviour.
• Marketing – advertising cookies (Meta Pixel) for displaying relevant ads.

You can change your consent at any time by clicking the cookie settings icon in the bottom left corner of the page.

7. Social Media

Our website contains or will contain links to brand profiles on social media platforms (Facebook, Instagram, YouTube, TikTok and others). These links are simple redirects – by clicking them you will leave our website and be directed to the respective platform.

Please note that the operators of these platforms may process your personal data in accordance with their own privacy policies, over which we have no control. We recommend reviewing the privacy policy of the relevant platform.

Where we manage our own profiles on social media, we may act as joint controllers (within the meaning of Art. 26 GDPR) together with the platform operators to process certain statistical data about visitors to our profiles (e.g. Facebook Insights). In such cases, we will provide further information directly on the relevant profile.

8. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via a notice on the website. The current version is always available at fcosme.com.

Herb-Pharma s.r.o. | náměstí Smiřických 38, 281 63 Kostelec nad Černými lesy, Czech Republic | Company No.: 175 34 909