VIRTUES

Privacy Policy

This policy explains, in plain language, what personal data Virtues processes through virtuescloth.com, why we process it, who may receive it, how long we keep it, and how you can exercise your rights.

Effective date: 1 July 2026

1. Who controls your data

The Virtues clothing brand and virtuescloth.com are jointly operated by Matyáš Podroužek and Vojta Holub ("Virtues", "we", "us"). They jointly determine why and how the personal data described in this policy is processed and therefore act as joint data controllers.

Vojta Holub acts as the primary contact point for privacy matters and coordinates responses on behalf of both controllers. You may exercise your rights against either controller. Privacy and data-rights contact: vojta.hollub@seznam.cz. Please write "Privacy request" in the subject line so we can identify your request quickly.

2. Data covered by this policy

Depending on how you use the website, we may process:

  • Newsletter data: your email address, subscription status, the wording and version of the consent you accepted, the request and confirmation dates, withdrawal date, and random technical confirmation or unsubscribe tokens.
  • Website security data: IP address, request time, requested URL, response status, and basic browser or device data if these are recorded in standard hosting and security logs.
  • Cart data on your device: product, size, quantity, and price choices saved in your browser's local storage. This website does not attach those choices to your name or email and does not receive them from local storage.
  • Messages and orders: information you choose to send when you contact us on Instagram or by email, such as your profile name, contact details, order content, delivery details, and the conversation.

Please do not send special-category data, identification documents, payment-card details, or any information that is not needed for your request.

3. The website, cart, and Instagram

This website is primarily a presentation site. It does not accept payments and does not itself conclude or confirm an order. The cart is a non-binding tool stored in your browser that helps you prepare a list of products. Its contents are not automatically sent to Virtues.

If you choose to continue through the Instagram link, you leave this website and communicate through a service operated by Meta. You decide what cart screenshot and other information to send. Product availability, the final price including any delivery charge, payment, delivery, and other purchase terms must be agreed in that conversation before an order becomes binding.

A purchase agreed entirely through Instagram may still be a distance contract. Moving the conversation away from this website does not remove applicable consumer rights or the sellers' duties to provide required information before the customer is bound.

4. Why we process data and our legal bases

PurposeDataLegal basis
Verify and manage newsletter subscriptions and send product news or offersNewsletter data listed aboveYour consent under Article 6(1)(a) GDPR and prior consent under Section 7(2) of Czech Act No. 480/2004 Coll.
Provide the cart function you requestedProduct choices stored only in local storageStorage technically necessary to provide a feature requested by you; no advertising or analytics use
Answer messages, prepare an order, and perform an agreed purchaseContact, message, order, and delivery dataSteps at your request before a contract and performance of a contract, Article 6(1)(b) GDPR
Meet accounting, tax, consumer-protection, or other legal dutiesRequired order and transaction recordsCompliance with legal obligations, Article 6(1)(c) GDPR
Keep the website secure, prevent abuse, and establish or defend legal claimsSecurity logs and relevant recordsOur legitimate interests in security and legal protection, Article 6(1)(f) GDPR

Newsletter consent is optional and is not required to browse the website, use the cart, contact us, or buy a product. Without an email address and consent, we simply cannot provide the newsletter.

5. How newsletter consent works

  1. You enter your email and actively tick the consent box. It is never pre-ticked.
  2. We send a non-promotional verification email containing a confirmation link.
  3. Your subscription becomes active only after you open that link within 48 hours. This double opt-in helps prove that the owner of the address made the request.
  4. Each marketing email must identify Virtues, be recognisable as a commercial newsletter, and contain a free and simple unsubscribe option.

You may withdraw consent at any time through the unsubscribe link in a newsletter or by emailing vojta.hollub@seznam.cz. Withdrawal does not affect processing that was lawful before the withdrawal.

6. Cookies and local storage

The current website code does not use advertising or analytics cookies and does not include third-party tracking pixels. Therefore, no non-essential tracking is activated when you visit the site.

The cart uses a local-storage item named cart to remember products you selected. It remains in your browser until you empty the cart, clear site data, or your browser removes it. Local storage is similar to a cookie, but the cart item is used only to provide the cart feature and is not used to track you across websites.

If analytics, advertising, embedded social content, or other non-essential tracking is added later, it must remain disabled until the website first provides clear information and obtains any consent required by law. This policy will also be updated.

7. Who receives data

Access is limited to what is needed for the stated purposes:

  • authorised people operating Virtues who need the data to manage the newsletter, answer you, or handle an order;
  • the website hosting and database providers that keep the website, security logs, and newsletter records available;
  • Brevo / Sendinblue SAS, 17 rue Salneuve, 75017 Paris, France, which processes the email address and delivery data to send confirmation and newsletter emails for us;
  • Meta Platforms Ireland Limited when you choose to contact us through Instagram; Instagram also processes your data for its own purposes under Meta's terms and privacy policy;
  • professional advisers and public authorities where disclosure is necessary to comply with law or establish, exercise, or defend legal claims.

We do not sell personal data. Processors may use data only under our instructions and contractual confidentiality and security duties, except where a provider acts as an independent controller for its own legally defined purposes.

Provider information: Brevo Privacy Policy and Meta Privacy Policy.

8. International transfers

We prefer processing within the European Economic Area. Some providers or their approved subprocessors may nevertheless process limited data outside the EEA. Where a destination does not benefit from an EU adequacy decision, the relevant provider must use an appropriate GDPR safeguard, such as the European Commission's Standard Contractual Clauses, together with supplementary measures where required.

Brevo states that it may use subprocessors in countries including the United States and India and applies safeguards to those transfers. If you contact us through Instagram, Meta's own international-transfer arrangements also apply. You may ask us for more information about safeguards relevant to your data.

9. How long we keep data

  • Unconfirmed newsletter request: the confirmation link expires after 48 hours. Pending records are then ineligible for mailing and are removed in routine database cleanup.
  • Active newsletter: until you withdraw consent or the newsletter service ends.
  • After unsubscribe: marketing stops immediately. A minimal suppression and consent record may be retained for up to three years to honour the withdrawal and demonstrate compliance, then deleted or anonymised unless a live dispute requires longer.
  • Security logs: according to the hosting provider's shortest practical log-rotation period, normally no longer than 30 days, unless a security incident requires specific records for longer.
  • Order and accounting records: for the periods required by applicable tax, accounting, and consumer-protection law. Other correspondence is deleted when no longer needed, subject to applicable limitation periods.
  • Cart: until you empty it or remove the website's local storage in your browser.

Backup copies are isolated from ordinary use and deleted through the relevant provider's normal backup-rotation cycle.

10. Your rights

Subject to the conditions in the GDPR, you may request access to your data and a copy of it, correction, deletion, restriction of processing, or data portability. You may withdraw consent at any time. Where processing relies on legitimate interests, you may object on grounds relating to your situation; you have an absolute right to object to direct marketing.

Send requests to vojta.hollub@seznam.cz. We may ask for information reasonably necessary to verify that the request concerns you. We respond without undue delay and normally within one month. Exercising these rights is generally free.

You also have the right to complain to the Czech supervisory authority: Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Praha 7, Czech Republic, email: posta@uoou.gov.cz.

11. Security

We use measures appropriate to the risk, including encrypted HTTPS transport, access restrictions, secret API credentials kept outside client-side code, random single-purpose confirmation and unsubscribe tokens, server-side consent validation, and data minimisation. No internet service is risk-free, but suspected incidents are assessed and notified where the GDPR requires it.

12. Children and automated decision-making

The newsletter is not intended for anyone who cannot validly provide their own consent under applicable law. In the Czech Republic, a child may generally provide consent for an information-society service from age 15; below that age, consent must be authorised by a person with parental responsibility.

We do not use the data covered by this policy for decisions based solely on automated processing that produce legal or similarly significant effects, and we do not profile newsletter subscribers.

13. Changes to this policy

We may update this policy when the website, providers, or legal requirements change. The current version and effective date will always be published here. If a change materially affects processing based on consent, we will provide new information and obtain fresh consent where required.