Privacy policy

§ 1 General provisions

The Administrator of the personal data of the users of the website located under the domain www.shoelace.ie, is SHOELACE ATHLONE, with registered office: Unit 21, Athlone Town Centre, 8-10 Mardyke Street, Athlone, Ireland (hereinafter: "Administrator").

Contact with us as the Administrator is possible:

(1) at e-mail address: office@shoelace.ie.,

(2) in writing, to the Administrator's address: Unit 21, Athlone Town Centre, 8-10 Mardyke Street, Athlone, Ireland.

The purpose of our Policy is to set forth the actions we will take with respect to personal data collected through our website and related services and tools used by users, as well as in the activity of entering into and fulfilling contracts in contact outside the website.

If necessary, the provisions of this Policy may change. We will communicate changes to users by announcing the new contents of the Policy on the website, and in the case of those who have consented to the processing of data by e-mail or have provided e-mail data in the execution of contracts, they will also be notified by e-mail.

§ 2 On what basis we process data, for what purpose and how we store personal data

Our users' personal data is processed in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act of 10.05.2018 and the Electronic Services Act of 18.07.2002, as well as the UK GDPR and Digital Protection Act. Together with subsequent amendments of the above.

As Administrator, we may collect the following data for the following purposes:

Purpose of data processing	Legal basis for processing and data retention period	Data retention period	Scope of data processed
Performing a contract with the customer or taking action at the request of the data subject before entering into the aforementioned contracts	Article 6(1)(b) of the GDPR (performance of a contract).	for the duration of the aforementioned contract until the expiration of the legal obligation related to accounting data will be processed until the expiration of the period during which it is possible to assert claims	name; e-mail address; telephone number; address (street, house number, apartment number, postal code, city, country), company name, TIN
Direct marketing	Article 6(1)(f) of the GDPR (legitimate interest of the Administrator). The Administrator may process data for direct marketing purposes only after obtaining consent and in the absence of an objection from the data subject.	until you withdraw your consent - remember, you can withdraw your consent at any time. The processing of data until you withdraw your consent remains lawful. data will be processed until the expiration of the period during which it is possible to assert claims	email address; telephone number;
Marketing	Article 6(1)(a) of the GDPR (consent)	until you withdraw your consent - remember, you can withdraw your consent at any time. The processing of data until you withdraw your consent remains lawful. data will be processed until the expiration of the period during which it is possible to assert claims until, you unsubscribe from the newsletter.	name; e-mail address; telephone number; address (street, house number, apartment number, postal code, city, country),
Customer's expression of opinion	Article 6(1)(a) of the GDPR	in the absence of an opinion for a period of 30 days after you make a purchase or until, your objection is upheld. against processing; when an opinion is expressed, until it is deleted or until an objection to processing is upheld data will be processed until the expiration of the period during which it is possible to assert claims	name; e-mail address; telephone number;
Bookkeeping	Article 6(1)(c) of the GDPR in conjunction with Article 86(1) of the Tax Ordinance i.e. dated January 17, 2017. (Journal of Laws of 2017, item 201) or Article 74(2) of the Accounting Act, i.e. of January 30, 2018. (Journal of Laws of 2018, item 395).	data will be processed until the expiration of the period during which it is possible to assert claims the data shall be kept for the period required by law mandating the retention of tax books (until the expiration of the statute of limitations for tax liabilities, unless otherwise provided by tax laws) or accounting books (5 years, counting from the beginning of the year following the financial year to which the data refer).	name; e-mail address; telephone number; address (street, house number, apartment number, postal code, city, country), TIN; company name;
Making a refund	Performing the Contract or taking action at the request of the data subject prior to entering into the Contract (Article 6(1)(b) GDPR).	5 years after the termination of business relations with the customer	name; e-mail address; telephone number; address (street, house number, apartment number, postal code, city, country), business entity data.
Establishing, asserting or defending claims that the Administrator may assert or that may be asserted against the Administrator	Article 6(1)(f) of the GDPR	the data are kept for the period of our legitimate interest, but no longer than the period of the statute of limitations for claims against the data subject for business activities.	name; e-mail address; telephone number; address (street, house number, apartment number, postal code, city, country), TIN; company name;
Conduct research and analysis to improve the performance of available services	Article 6(1)(f) of the GDPR	the data will be processed until the expiration of the period during which claims can be asserted until the expiration or deletion of cookies used for analytical purposes	company name; e-mail address; telephone number; address (street, house number, apartment number, postal code, city, country), computer components, settings, installed software.
Customer account registration	Performing the Contract or taking action at the request of the data subject prior to entering into the Contract (Article 6(1)(b) GDPR)	5 years after the termination of business relations with the customer	name; e-mail address; telephone number; address (street, house number, apartment number, postal code, city, country), business entity data.
Sending notifications to the customer	Performing the Contract or taking action at the request of the data subject prior to entering into the Contract (Article 6(1)(b) GDPR) Fulfillment of a legal obligation incumbent on the Controller (Article 6(1)(c) GDPR)	5 years after the termination of business relations with the customer	name; e-mail address; telephone number; address (street, house number, apartment number, postal code, city, country), business entity data.
Providing customer service	Performing the Contract or taking action at the request of the data subject prior to entering into the Contract (Article 6(1)(b) GDPR)	5 years after termination of business relationship with the Customer 2 years after the last update of the Customer's inquiry	name; e-mail address; telephone number; address (street, house number, apartment number, postal code, city, country), data of the business entity,
Correct functioning of the service	Maintaining the performance of the Service and improving it (Article 6(1)(f) GDPR)	5 years after the termination of business relations with the Customer	As in the cell above, Information about the activities performed on the site (button clicks, time of visits, notifications read, other information depending on the specific business case).
Tracking site visits for security reasons	Protecting and securing the service, customers' interests, safeguarding the customer's security (Article 6(1)(f) GDPR)	3 years	User ID, IP Address, Browser, Content and URLs to which the User connects, Date and time of connections.
Protecting customers from using a disclosed login password	Protecting and securing the service, customers' interests, safeguarding the customer's security (Article 6(1)(f) GDPR)	Time required for Administrator to check password	User ID, Customer Password.
Allowing the Customer to reset the password	Protecting and securing the service, customers' interests, safeguarding the customer's security (Article 6(1)(f) GDPR)	5 years after the termination of business relations with the customer	name; e-mail address; business entity data, Customer's password, User ID.
Oversee compliance with regulations, contracts, privacy policies	Protecting and securing the service, customers' interests, safeguarding the customer's security (Article 6(1)(f) GDPR)	5 years after the termination of business relations with the customer	transaction data, data of the business entity.
Processing of requests for personal data	Article 6(1)(c) of the GDPR	The period of the existence of the legitimate interest of the Administrator, but no longer than the period of the statute of limitations for claims against the data subject for business activities.	name; e-mail address; telephone number; address (street, house number, apartment number, postal code, city, country), TIN; company name.
Provide information to authorities, law enforcement and other state institutions,	Article 6(1)(c) of the GDPR	The period of the existence of the legitimate interest of the Administrator, but no longer than the period of the statute of limitations for claims against the data subject for business activities.	name; e-mail address; telephone number; address (street, house number, apartment number, postal code, city, country), TIN; company name.

Within the scope of the regulations of the UK GDPR and Digital Protection Act, Article 6 of the UK GDPR in particular applies, as well as other regulations depending on the situation described above.

We retain our users' personal data for no longer than is necessary to achieve the purpose of the processing, i.e. until the user withdraws consent if the processing is based on such consent, or until the statute of limitations on claims for the performance of concluded contracts (in the case of sales/service contracts, these are 2 years, counting by the end of the year), or until we have fulfilled an inquiry received in an email, or until we have completed processing a complaint.

Users' personal data that we have obtained due to the performance of a user account contract is kept by us for a period of 2 years from the last purchase made through it, and no longer than 3 years from that activity.

We declare that we may use profiling on our site for direct marketing purposes, however, all decisions made on the basis of profiling will never relate to the conclusion or refusal of a contract or the possibility of using our electronic services. The effect of using profiling in our case may be, for example, to give a person a discount, to send him or her a discount code, to send a product proposal that may match the person's interests or preferences, or to offer better terms compared to a standard offer. Despite our use of profiling, it is the person who freely decides whether to take advantage of the discount or better terms received in this way and make a purchase. Profiling in itself involves the automatic analysis or prediction of a person's behaviour on our site, e.g. by adding a particular product to a shopping cart, browsing a particular product page, or by analyzing a person's past activity history on the site. In order for such profiling to take place, however, we first need to obtain a person's personal data (according to the principles described in this Policy) so that we can then send them, for example, a discount code.

To the extent necessary for the proper functioning of the website, its functionality, our website may, during the user's use of the website, also collect other information, including but not limited to:

IP address;
device, hardware and software information, such as hardware identifiers, mobile device identifiers (e.g. Apple Identifier for Advertising ["IDFA"] or advertising identifier on an Android device ["AAID"]),
type of platform,
browser data, including browser type and preferred language;

Taking into account the nature, scope, context and purposes of the processing and the risk of violation of the rights or freedoms of natural persons of varying probability and severity, as the Administrator of such data, we implement appropriate technical and organizational measures so that the processing is carried out in accordance with the GDPR and can subsequently demonstrate this. These measures are regularly reviewed and updated as necessary. As Administrator, we use technical measures to prevent unauthorized persons from obtaining and modifying data, including those personal data that are sent electronically.

§ 3 Situations in which we share personal data with others

We assure you as an Administrator that any personal information collected by us is used solely to fulfill our obligations to you. This information will not be shared with third parties, however, except when:

1. the express consent of the data subjects to do so is given in advance, or
2. if the obligation to provide such data is or will be imposed by applicable law, such as to law enforcement agencies.

In addition to the above, personal data of our users and customers may be transferred to the following recipients or categories of recipients:

- to service providers who supply us with technical, IT and organizational solutions that enable us to run our business, including the website and the services provided through it (in particular, software providers, marketing agencies, email and hosting providers, business management software providers and those who provide us with technical support, as well as the product delivery operator) - in this case, we share the collected personal data of the Customer with the selected provider (accepted by the Customer) acting on its behalf only in the case and to the extent that is necessary to fulfill the given purpose of processing under the terms described in this Policy.
- to providers of accounting, legal or consulting services that provide us with accounting, legal or consulting support (in particular, if it is an accounting firm, law firm or debt collection company) - in this case, we share the collected personal data of the Customer with the selected provider acting on our behalf and only in the case and to the extent that is necessary to realize the given purpose of processing in accordance with this Privacy Policy.

As Administrator, we may also share anonymized data (i.e., data that does not identify specific Users) with third-party service providers in order to better identify the appeal of advertisements and services. For this reason, there may be situations where, due to the location of the software providers, data may be transferred - subject to the principles of data protection - to third countries that nevertheless provide an adequate level of contractual provisions approved by the European Commission for the processing of personal data, or that have the appropriate authority to do so on the basis of entrustment agreements for data processing between the European Union and the relevant country that is not a member of the European Economic Area. These entities in our case are:

Google LLC. (Headquarters: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) for Google Analytics tools used to analyze Web site statistics, Google Tag manager: used to manage scripts by easily adding code snippets to a site or application and to track actions performed by users on a Web site, Google Ads used to display sponsored links in Google's search engine results and on collaborative sites under the Google AdSense program,
Meta Platforms, Inc. (headquartered at 1601 Willow Road Menlo Park, CA 94025, USA) for Facebook pixel used to track conversions from Facebook ads, optimize them based on collected data and statistics, and build a targeted audience list for future ads

As the Administrator, we will always inform you of our intention to transfer personal data outside the EEA at the stage of collection.

We conduct risk analysis on an ongoing basis to ensure that we process personal data in a secure manner - ensuring, above all, that only authorized persons have access to the data and only to the extent necessary for their tasks. In particular, we make sure that all operations on personal data are recorded and performed only by authorized employees and associates.

We also take all necessary measures to ensure that our subcontractors and other entities cooperating with us provide guarantees that appropriate security measures are applied whenever they process personal data provided by us.

Our website may use the functionality of Google Analytics, i.e. a web audience analysis service provided by Google, LLC. ("Google"). Google Analytics uses cookies to help us analyze how visitors use our website. The information generated in this way is generally transmitted to and stored by Google on servers in the United States. In accordance with current IT standards, the IP addresses of users visiting our site are abbreviated. Only in exceptional cases is the complete IP address sent to a Google server in the United States and shortened there. Google will use this information to evaluate the website for its users, to compile reports on website traffic and to provide other services related to website traffic exclusively on our behalf and only to the extent indicated by us. In doing so, Google will not associate the IP address transmitted within the scope of Google Analytics with any other data in its possession. For more information on how Google Analytics collects and uses data, please visit Google's official website at: www.google.com/policies/privacy/partners. We encourage you to familiarize yourself with them. In addition, any User can prevent Google from collecting and processing data about his/her use of the website by downloading and installing a browser plug-in.

When we share data with third parties, we make every effort to ensure that this is done only to entities that meet the criteria and requirements indicated within Article 46 or 49 of the GDPR. In such cases, we will rely on EU standard contractual clauses and other safeguards to enable transfers outside the EEA. In accordance with the decision of the Court of Justice of the European Union of July 16, 2020, as Administrator we continue to evaluate on an ongoing basis the legal regime of the countries to which the data we obtain is transferred and, where necessary, update measures to ensure adequate levels of protection.

With regard to data transferred to the United States, when sharing data with third parties, we make every effort to ensure that this is done, in accordance with the European Commission's decision of July 10, 2023, and only to entities and organizations in the US that ensure compliance with the new "EU-US Data Privacy Framework." A list of these organizations has been published by the US Department of Commerce. Transfers of personal data from the EEA to organizations that have joined the "EU-US Data Privacy Framework" program and are on this list are possible without the need for additional authorizations or the use of such legal instruments as standard contractual clauses or binding corporate rules. However, in cases where a particular data importer in the US has not joined the "EU-U.S. Data Protection Framework" program, transfers of personal data to it are possible and will be made upon compliance with the conditions set forth in Article 46 or 49 of the GDPR. In such cases, we will rely on EU standard contractual clauses and other safeguards to enable transfers outside the EEA.

§ 4 User rights

A user whose personal data is processed by us has the right to:

access, rectification, restriction, erasure or portability - the data subject has the right to request from us access to his/her personal data, rectification, erasure ("right to be forgotten") or restriction of processing, and has the right to object to processing, and has the right to portability of his/her data. The detailed conditions for exercising the rights indicated above are indicated in Articles 15-21 of the GDPR.
to withdraw consent at any time - a person whose data is processed by us on the basis of expressed consent (pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR) has the right to withdraw consent at any time without affecting the legality of the processing carried out on the basis of consent before its withdrawal.
lodge a complaint with a supervisory authority - a person whose data we process has the right to lodge a complaint with a supervisory authority in the manner and mode specified in the GDPR and Irish law, in particular the Personal Data Protection Act. The supervisory authority in Ireland is the President of the Office for Personal Data Protection in Ireland.
object - The data subject has the right to object to us at any time - on grounds relating to his or her particular situation - to the processing of personal data concerning him or her based on Article 6(1)(e) (public interest or tasks) or (f) (legitimate interest of the Administrator), including profiling under these provisions. In such case, we will no longer be allowed to process the personal data, unless we can demonstrate the existence of compelling legitimate grounds for the processing overriding the interests, rights and freedoms of the data subject, or grounds for establishing, asserting or defending claims.
objection to direct marketing - If personal data are processed for direct marketing purposes (based on our legitimate interest and not on the basis of consent), the data subject has the right to object to such processing relating to his or her personal data for such marketing, including profiling, at any time to the extent that the processing is related to such direct marketing.

In order to implement the above, you should send us a relevant request to the e-mail address office@shoelace.ie. Such a request should include the user's name and surname.

At the same time, the user shall ensure that the data provided or published by him on the site is correct.

§ 5 Cookies and how we use them

By "cookies" we mean computer data, in particular text files, usually stored on the hard drive of a computer or mobile device and used to store certain settings and data by the user's browser in order to use websites. These files allow us to recognize the user's device and display our website accordingly, providing comfort during its use. The storage of "cookies" therefore enables us to prepare our website and offerings accordingly to the preferences of the respective user - the server recognizes the user and remembers preferences such as visits, clicks, previous actions, among others.

"Cookies" contain, in particular, the domain name of the website from which they originate, the time they are stored on the end device and a unique number used to identify the browser from which the connection to the website is made.

"Cookies" are used by us in order to:

1. to adapt the content of the websites to your preferences and to optimize the use of the websites,
2. to create anonymous statistics, which help us to determine how the user uses our website and enable us to improve its structure and content,
3. to provide users with advertising content tailored to their interests.

We emphasize that "cookies" are not used to identify the user and on their basis your identity is not established.

The basic division of "cookies" on our site is their distinction into:

Necessary "cookies" - they are absolutely necessary for the proper functioning of our site or its functionalities you want to use, because without them we could not provide many of the services we offer. Some of them also ensure the security of the services we provide electronically.
Functional cookies - are important for the operation of the website due to the fact that:

- are used to enrich the functionality of our site; without them, the site will work properly, but will not be tailored to the user's preferences,

- serve to ensure a high level of functionality of our site; their absence may reduce the level of functionality of the site, but should not prevent you from using it completely,

- serve the majority of the functionality of our site; their blocking will result in selected functions not working properly.

Business "cookies" - enable us to implement the business model on the basis of which our site is provided; blocking them will not make all functionality unavailable, but may reduce the level of service provision due to our inability to realize the revenue that subsidizes its operation. This category includes, for example, advertising "cookies".
Website configuration "cookies" - allow us to set functions and services on the websites.
Cookies for website security and reliability - allow us to verify the authenticity and optimize website performance.
Authentication cookies - allow our website to recognize when you are logged in so that it can show you relevant information and features.
Session research "cookies" - allow us to record and analyse information about how users use the website. This information may relate to the most frequently visited pages or possible error messages displayed on certain pages. Cookies used to record so-called "session state" help to improve services and enhance the browsing experience.
"Cookies" for studying the processes that take place on our site - they allow us to ensure the smooth operation of our site and the functions available on it.
Advertising cookies - they enable us to display advertisements that are more interesting to users and at the same time more valuable to publishers and advertisers; Cookies can also be used to personalize advertising and to display advertisements outside websites.
Location-access cookies - allow us to adapt the displayed information to the user's location.
Cookies that conduct analyses, research or audience audits - allow us to better understand the preferences of our users and improve and develop our products and services through analysis.