Privacy Policy
Condor Research
Operated by Atrio Sciences s.r.o. (IČO: 57 669 651), a limited liability company incorporated under the laws of the Slovak Republic, with registered office at Hornočermánska 1556/76, 949 01 Nitra, Slovak Republic.
Last updated: 12 June 2026
Version: 2.0
1. Introduction and Scope
This Privacy Policy explains how Atrio Sciences s.r.o. (“Condor Research,” “we,” “us,” or “our”) collects, uses, stores, discloses, and protects personal data in connection with the website www.condorresearch.com (the “Website”), customer accounts, orders, customer support, compliance screening, payment processing, shipping, marketing communications, and all related business operations.
We process personal data in accordance with:
(a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, “GDPR”);
(b) Zákon č. 18/2018 Z.z. o ochrane osobných údajov (Slovak Act on Personal Data Protection, as amended);
(c) Directive 2002/58/EC on privacy and electronic communications (ePrivacy Directive), as transposed into Slovak law by Zákon č. 452/2021 Z.z. o elektronických komunikáciách (Act on Electronic Communications), as amended (which replaced the former Zákon č. 351/2011 Z.z. with effect from 1 February 2022);
(d) where relevant to product safety, classification, and traceability, obligations under Regulation (EC) No 1907/2006 (REACH), Regulation (EC) No 1272/2008 (CLP), and related Slovak chemical-safety legislation;
(e) other applicable privacy, electronic communications, and data protection laws.
This Privacy Policy should be read together with our Terms and Conditions, Research Use Only Disclaimer, Cookie Policy, Shipping Policy, and any product-specific or checkout notices made available on the Website.
2. Data Controller
The data controller responsible for the processing described in this Privacy Policy is:
Atrio Sciences s.r.o.
IČO: 57 669 651
Hornočermánska 1556/76, 949 01 Nitra, Slovak Republic
Email: info@condorresearch.com
Website: www.condorresearch.com
Privacy contact: For all privacy-related requests, rights exercises, complaints, and queries, contact us at info@condorresearch.com with the subject line “Privacy Request.”
Data Protection Officer: Atrio Sciences s.r.o. does not process personal data on a large scale, does not engage in systematic monitoring of individuals on a large scale, and does not process special categories of data as a core activity. The incidental receipt of special-category data described in section 7 does not constitute a core activity. Accordingly, we are not currently required to designate a Data Protection Officer under Article 37 GDPR. The privacy contact identified above handles all data protection matters. We keep our obligation to designate a Data Protection Officer under review and will appoint one if the nature, scope, or purposes of our processing change.
Data protection impact assessments: We have assessed our automated compliance, fraud-prevention, and geographic-restriction processing against Article 35 GDPR. Where a type of processing is likely to result in a high risk to your rights and freedoms, we carry out a data protection impact assessment before commencing it, and we keep that assessment under review.
3. Scope of this Privacy Policy
This Privacy Policy applies to personal data processed when you:
(a) visit or use the Website, including as an unregistered visitor;
(b) create or manage a customer account;
(c) place, modify, cancel, or inquire about an order;
(d) request customer support or lodge a complaint;
(e) submit information for compliance, eligibility verification, or due diligence purposes;
(f) subscribe to, receive, or interact with our marketing or transactional communications;
(g) communicate with us by email, website form, chat, telephone, or any other channel;
(h) interact with our payment, logistics, fraud prevention, analytics, or security systems;
(i) interact with us in a business-to-business capacity as a research institution, laboratory, or professional operator.
This Privacy Policy does not apply to third-party websites, platforms, payment processors, carriers, or external services, which operate under their own privacy policies. We are not responsible for those third parties’ data practices.
4. Personal Data We Collect
We collect and process only the personal data that is necessary for the purposes described in this Privacy Policy. Depending on your interaction with us, this may include the following categories.
4.1 Account and Identity Data
(a) full name;
(b) company or institution name;
(c) professional role, capacity, or research affiliation where provided;
(d) billing and shipping address;
(e) email address;
(f) telephone number;
(g) account username, account ID, and login credentials (stored in hashed form — passwords are never stored in plain text);
(h) VAT identification number, company registration number, or other business identifiers where applicable.
4.2 Order and Transaction Data
(a) products ordered, product identifiers, and batch references;
(b) order value, currency, and invoice details;
(c) payment method selected;
(d) transaction status, references, and timestamps;
(e) order notes and special instructions;
(f) shipping method, tracking information, and delivery status;
(g) returns, defects, reshipments, store credits, replacements, or complaints;
(h) communications relating to the order.
4.3 Payment Data
We process payment method type, payment status, transaction reference, billing address, anti-fraud indicators, and limited payment metadata.
We do not store full payment card numbers or card security codes. Where card payments are available, they are processed directly by our authorised payment service provider, which operates under its own PCI-DSS obligations. SEPA transfers are processed through banking and electronic money institution providers. Cryptocurrency payments are processed through BTCPay Server (self-hosted infrastructure) and, where applicable, CoinGate (a MiCA-licensed provider). We do not have access to private keys or full blockchain wallet data beyond transaction identifiers and confirmation status.
4.4 Compliance and Verification Data
Because our Products are supplied strictly for Research Use Only (RUO) purposes, we may process data necessary to assess eligibility, compliance, order risk, and lawful fulfilment. This may include:
(a) stated research, analytical, educational, industrial, or professional purpose;
(b) institutional or professional affiliation;
(c) business or laboratory information;
(d) professional credentials, licences, or registrations where requested;
(e) VAT number or company registration information;
(f) sanctions, export control, fraud, or restricted-party screening data and results;
(g) country, region, and jurisdictional information;
(h) order risk indicators, fraud scores, and anomaly flags;
(i) records of refused, cancelled, restricted, held, or manually reviewed orders and the reasons therefor;
(j) minimised records of communications indicating prohibited use, non-research intent, misuse, fraud, circumvention, or material breach of our Terms, retained and handled in accordance with sections 7 and 12.
4.5 Customer Support and Communications Data
(a) email communications and correspondence;
(b) website form submissions;
(c) customer support messages, tickets, and case notes;
(d) complaints, inquiries, or requests and our responses;
(e) internal compliance notes relating to support interactions, product quality, or dispute handling;
(f) records of communications retained where necessary to evidence compliance with our Terms or applicable law, handled in accordance with sections 7 and 12.
4.6 Technical and Usage Data
When you use the Website, we or our service providers may collect:
(a) IP address and derived approximate geolocation;
(b) browser type, version, and language settings;
(c) device type, operating system, and screen resolution;
(d) time zone and language settings;
(e) pages visited, navigation paths, and session duration;
(f) referring URLs and exit pages;
(g) session identifiers and server log data;
(h) security events, failed authentication attempts, and anomaly signals;
(i) cookie identifiers and similar tracking technology data, subject to our Cookie Policy.
We process IP address and derived approximate location primarily for security, fraud-prevention, and geographic-restriction purposes on the basis of our legitimate interests (and, for sanctions and other legal-obligation purposes, Article 6(1)(c) GDPR). We treat dynamic IP addresses as personal data. We do not use IP-based or location-based tracking for advertising. Any analytics use of this data that relies on accessing or storing information on your device is consent-based and described in our Cookie Policy.
4.7 Marketing and Preferences Data
(a) email marketing consent records, including timestamp, method of consent, and consent text presented;
(b) opt-out and unsubscribe records;
(c) email engagement data where lawfully collected (open events, click events);
(d) product interest signals and purchase history used to personalise communications where lawfully permitted. Where any such personalisation involves profiling, preference, or analytical surveys within the meaning of §116 of Act 452/2021 Z.z., we treat it as direct marketing subject to section 18 and to your right to object under section 13.6.
5. How We Collect Personal Data
We collect personal data:
(a) directly from you when you create an account, place an order, complete checkout, contact us, subscribe to communications, or submit any information through the Website;
(b) automatically through server logs, cookies, security tools, and analytics tools operating on the Website, as described in our Cookie Policy;
(c) from service providers acting on our behalf, including payment processors, logistics partners, fraud prevention tools, and sanctions screening services, in connection with the processing of your transactions;
(d) from publicly available business or professional sources, where necessary for compliance verification, fraud prevention, sanctions screening, or dispute handling (for example, official company registries or sanctions lists);
(e) from competent authorities, customs bodies, payment providers, or carriers, where relevant to order fulfilment, legal compliance, or risk management and where such disclosure is lawful.
6. Purposes and Legal Bases for Processing
We process personal data only where a valid legal basis exists under Article 6 GDPR. The applicable legal bases are: (i) contract performance (Art. 6(1)(b)); (ii) compliance with a legal obligation (Art. 6(1)(c)); (iii) legitimate interests (Art. 6(1)(f)), applied where our interests or those of a third party are not overridden by your interests or fundamental rights; and (iv) consent (Art. 6(1)(a)), where specifically indicated.
Where we rely on legitimate interests, the interests pursued are: operating a lawful and compliant RUO distribution business; preventing misuse, fraud, unlawful conduct, and regulatory harm; protecting the integrity of our supply chain; maintaining accurate business records; and exercising and defending legal claims. We have assessed that these interests are not overridden by the rights of data subjects in the relevant contexts, given the professional and commercial nature of our customer relationships and the inherent compliance obligations of our business.
For each processing activity relying on Article 6(1)(f), we have carried out and documented a legitimate interests assessment (LIA) recording (i) the specific interest pursued, (ii) why the processing is necessary and proportionate to that interest, and (iii) a balancing of that interest against your interests, rights, and freedoms, including a consideration of your reasonable expectations given the professional, compliance-sensitive nature of the supply of research-use-only materials. A summary of the relevant LIA is available on request at info@condorresearch.com. You may object to any legitimate-interests processing on grounds relating to your particular situation under section 13.6; where you object to compliance, fraud-prevention, or order-risk processing, we may be unable to accept or fulfil orders to you because that processing is integral to lawful supply (see section 13.6).
6.1 Account Creation and Website Operation
Purpose: Creating and maintaining customer accounts, securing access, managing sessions, and operating and securing the Website.
Legal basis: Contract performance; legitimate interests in operating and securing the Website and its infrastructure. Any analytics directed at improving the Website that relies on non-essential cookies or similar technologies is carried out on the basis of consent, as described in our Cookie Policy.
6.2 Order Processing and Contract Fulfilment
Purpose: Accepting, reviewing, processing, dispatching, delivering, cancelling, or otherwise managing orders, including issuing invoices and managing payments.
Legal basis: Contract performance; legal obligation (accounting and tax records); legitimate interests in operating our business.
6.3 RUO Compliance, Eligibility Screening, and Order Risk Review
Purpose: Assessing whether a Customer is eligible to purchase, whether an order is consistent with lawful RUO purposes, whether product-specific geographic or regulatory restrictions apply, and whether an order should be accepted, refused, cancelled, restricted, or manually reviewed.
Legal basis: Legitimate interests (Article 6(1)(f)) in preventing misuse, fraud, unlawful conduct, regulatory exposure, and reputational harm, and in the retention of misuse records for the establishment, exercise, or defence of legal claims, as documented in our legitimate interests assessment for each operation; and, where a specific obligation binds us, compliance with a legal obligation (Article 6(1)(c)). Compliance keyword detection is limited to the minimum necessary to identify prohibited-use signals, does not by itself produce decisions with legal or similarly significant effect (Article 22), and is subject to human review under section 8.2. Special-category data surfaced by any of this processing is handled under section 7.
6.4 Sanctions, Export Control, and Fraud Prevention
Purpose: Screening orders and customers against applicable sanctions and restricted-party lists (EU Consolidated Financial Sanctions List, UN Security Council Consolidated List, and equivalent instruments); complying with export-control and restrictive-measures obligations; detecting and preventing fraud, payment abuse, and Website security incidents.
Legal basis: Compliance with a legal obligation (Article 6(1)(c)) under directly-applicable EU restrictive-measures (sanctions) Regulations to which we are subject (including Council Regulation (EU) No 833/2014 and Council Regulation (EC) No 765/2006), UN sanctions implemented in EU law, and Act No. 289/2016 Z.z. on the implementation of international sanctions, for sanctions and restricted-party screening; and legitimate interests (Article 6(1)(f)) for fraud, payment-abuse, and security screening that goes beyond a specific legal obligation, as documented in our legitimate interests assessment. Where any anti-money-laundering obligation under Zákon č. 297/2008 Z.z. applies to a given transaction, we process the necessary data under Article 6(1)(c) for that purpose; we do not assert a blanket anti-money-laundering legal obligation where none applies.
6.5 Payment Processing and Financial Administration
Purpose: Receiving, verifying, reconciling, and accounting for payments; managing refunds or credits where legally required; fraud prevention in payment transactions.
Legal basis: Contract performance; legal obligation (accounting, VAT, and tax law); legitimate interests in payment security and fraud prevention.
6.6 Shipping, Logistics, and Customs
Purpose: Arranging fulfilment, dispatch, carrier handover, delivery tracking, customs documentation, and logistics-related customer support.
Legal basis: Contract performance; legal obligation (customs and export documentation requirements); legitimate interests in supply chain integrity and customer support.
6.7 Customer Support and Dispute Handling
Purpose: Responding to requests and complaints, investigating product or delivery issues, preserving evidence, enforcing our Terms, and managing disputes or legal claims.
Legal basis: Contract performance; legitimate interests in customer service, dispute resolution, and legal protection; legal obligation where applicable.
6.8 Product Quality, Batch Traceability, and Safety Management
Purpose: Managing quality issues, batch traceability, safety notices, product holds, recalls, or compliance-related product actions; distributing safety data sheets; and notifying affected customers where necessary.
Legal basis: Compliance with a legal obligation under product-safety and chemical-safety legislation, including Regulation (EC) No 1907/2006 (REACH, including Article 31 on safety data sheets), Regulation (EC) No 1272/2008 (CLP), and related Slovak chemical-safety legislation, in respect of batch traceability and safety processing; legitimate interests in product integrity, customer safety, and legal protection.
6.9 Marketing Communications
Purpose: Sending newsletters, product availability updates, research-oriented communications, and promotional messages by email to eligible recipients.
Legal basis: Consent (for new subscribers and where required by applicable ePrivacy rules); legitimate interests (for existing customers, within the soft opt-in under §116 of Act 452/2021 Z.z., subject to the limits in section 18 and to the right to object at any time).
We will not send marketing emails to recipients who have opted out or withdrawn consent. Transactional and service communications (order confirmations, shipping updates, compliance notices, account security alerts) are sent on the basis of contract performance or legitimate interests and are not affected by marketing opt-outs.
6.10 Legal, Tax, Accounting, and Corporate Compliance
Purpose: Maintaining accounting records, issuing tax-compliant invoices, fulfilling VAT reporting obligations, responding to lawful requests from authorities, maintaining corporate records, and establishing, exercising, or defending legal claims.
Legal basis: Legal obligation (Zákon č. 431/2002 Z.z. on accounting, VAT Act, and applicable commercial law); legitimate interests in legal protection and business administration.
6.11 Corporate Transactions
Purpose: Disclosing limited personal data to prospective buyers, investors, lenders, and their advisers in connection with a merger, acquisition, financing, or restructuring, subject to confidentiality undertakings, and limited to what is necessary for due diligence.
Legal basis: Legitimate interests (Article 6(1)(f)) in pursuing and completing corporate transactions; we have assessed that this processing, given its limited scope and the confidentiality protections applied, does not override data subjects’ interests, rights, or freedoms. This basis is cross-referenced from section 10.2(e).
7. Special Categories of Personal Data
We do not intentionally collect, request, or process special categories of personal data as defined in Article 9 GDPR, including health data, genetic data, biometric data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning sexual orientation or gender identity.
You must not provide us with health information, personal medical information, details of treatment, information relating to self-experimentation, or information describing personal administration or consumption of Products. We do not seek such data and have no lawful basis to process it for commercial purposes.
Where such information is nonetheless provided to us, we will, as soon as practicable:
(i) where the data is not required for any purpose in paragraph (iii) below, delete or irreversibly redact it;
(ii) where appropriate, restrict, suspend, refuse, cancel, or close the relevant order or account; and
(iii) retain only the minimum record strictly necessary to establish, exercise, or defend legal claims, to prevent repeated misuse, or to comply with a legal obligation. Such a retained record is limited to the order reference, the nature of the prohibited-use indication, and the action taken, and we do not retain the substantive health or self-administration details beyond what is strictly necessary for that purpose.
We process any record retained under paragraph (iii) under Article 9(2)(f) GDPR (establishment, exercise, or defence of legal claims) and, where applicable, Article 9(2)(g) GDPR read with Slovak law, together with Article 6(1)(f) and, where applicable, Article 6(1)(c). Any such retained record is access-restricted, segregated from marketing and analytics processing, and deleted once the relevant limitation period or legal-claims purpose has lapsed. We do not use special-category data for profiling, fraud scoring, marketing, or any automated decision-making. Where the compliance keyword detection described in section 8.1(d) surfaces information that may constitute special-category data, that information is handled under this section.
The right to erasure (section 13.3) and the right to object (section 13.6) do not require deletion of a record retained under paragraph (iii) where retention remains necessary for the establishment, exercise, or defence of legal claims, to comply with a legal obligation, or to prevent repeated misuse (Article 17(3) GDPR; Article 9(2)(f) GDPR).
8. Automated Processing and Profiling
8.1 Automated Tools Used
We may use automated or semi-automated systems to assist with:
(a) Geographic restriction enforcement — blocking checkout for products not available in the customer’s billing or shipping jurisdiction;
(b) Fraud and payment risk scoring — assessing order risk based on signals including IP address, shipping destination, order value, payment method, and purchase pattern;
(c) Sanctions and restricted-party screening — matching customer name, address, and related data against applicable sanctions and restricted-party lists;
(d) Compliance keyword detection — flagging communications or account activity that suggest non-research intent, prohibited use, or misuse of Products. This tool only flags material for human review and never itself produces a final decision; any special-category data it surfaces is handled under section 7.
8.2 Safeguards and Human Review
Where any of the tools in section 8.1 produces a decision that has legal or similarly significant effects on you (such as refusing, cancelling, or restricting an order or account), we ensure that decision is not based solely on automated processing, by relying on the lawful bases set out below and by applying the safeguards in this section.
(a) Geographic-restriction enforcement and fraud/payment-risk scoring: where any such decision is solely automated, we rely on Article 22(2)(a) GDPR (necessary for the entering into or performance of the contract between you and us).
(b) Sanctions and restricted-party screening: to the extent that such screening results in a solely automated decision producing legal or similarly significant effects, we rely on Article 22(2)(b) GDPR, as this processing is authorised and required by the EU and Slovak sanctions laws to which we are subject (see section 6.4). A positive screening match is always reviewed by authorised personnel before any final adverse decision.
(c) Compliance keyword detection: this tool only flags material for human review and never itself produces a final decision.
Safeguards (Article 22(3) GDPR). You have the right to obtain human intervention on our part, to express your point of view, and to contest the decision. To exercise these rights in relation to a blocked, cancelled, or restricted order, contact us at info@condorresearch.com marked “Automated Decision Review — Urgent.” We will provide human review of order-blocking decisions without undue delay and ordinarily within 5 business days, separately from the general one-month response time for other rights requests set out in section 13.9.
We do not use special categories of personal data in any solely-automated decision.
9. Cookies and Similar Technologies
We use cookies and similar technologies to operate and secure the Website, maintain login sessions, support checkout functionality, analyse traffic, and, where you have given consent, deliver relevant communications or analytics.
Detailed information on the cookies we use, their purpose, duration, and your choices is set out in our Cookie Policy, which forms part of this Privacy Policy and is available at www.condorresearch.com/cookie-policy.
The use of non-essential cookies is subject to your consent, obtained through our cookie consent tool. You may withdraw or modify your consent at any time through the cookie settings accessible on the Website or through your browser settings.
10. Recipients and Sub-Processors
We disclose personal data to third parties only where necessary and lawful. Recipients may include:
10.1 Service Providers and Processors
We engage processors in the following categories. The locations shown indicate where the relevant processing principally takes place; the transfer mechanism for any recipient outside the EEA is indicated and described further in section 11.
| Category | Location | Transfer mechanism (if outside EEA) |
|---|---|---|
| Web hosting and infrastructure | EEA (Germany) | — |
| Email and productivity software | USA | EU–US Data Privacy Framework; Standard Contractual Clauses (fallback) |
| Email marketing | EEA (Lithuania) | — |
| Ecommerce platform | Self-hosted (open-source software) | — |
| Crypto-asset payment processing | EEA | — |
| Card/SEPA payment processing | Authorised payment service provider(s), EEA | — |
| Warehousing and fulfilment | EEA (Slovakia) | — |
| Analytical laboratory services | EEA (Czech Republic) | — |
| Accounting services | EEA (Slovakia) | — |
| Sanctions / restricted-party screening | EEA, or performed in-house using published EU and UN consolidated lists | — |
A current list of our processors and sub-processors, identifying the specific provider in each category and confirming the Article 28 data processing agreement and (where relevant) the transfer mechanism in place with each, is maintained in our records and available on request at info@condorresearch.com. We do not transfer personal data to any processor before a data processing agreement compliant with Article 28(3) GDPR is in force.
We require all processors to process personal data only on our documented instructions and to implement appropriate technical and organisational security measures. Where we engage new processors, we conduct due diligence and enter into data processing agreements that comply with Article 28 GDPR, including a requirement to notify us of any personal data breach affecting your data without undue delay (see section 16).
10.2 Other Recipients
(a) Professional advisers — lawyers, accountants, auditors, tax advisers, and corporate service providers, bound by professional confidentiality obligations;
(b) Logistics and customs — carriers, customs brokers, and warehouse operators, to the extent necessary for fulfilment and delivery;
(c) Sanctions and fraud screening providers — to screen against applicable restricted-party lists and fraud databases. Where a crypto-asset service provider (such as CoinGate) processes a payment, it acts as an independent controller for its own anti-money-laundering, know-your-customer, and crypto-asset transfer-traceability obligations under Regulation (EU) 2023/1113 and applicable law, and we share with it only the data required for that purpose and for settlement;
(d) Competent authorities — regulators, customs authorities, law enforcement, courts, the Slovak financial intelligence unit, and public bodies, where we are required or lawfully permitted to disclose, including for export, customs, sanctions, and lawful reporting purposes;
(e) Corporate transaction parties — prospective buyers, investors, lenders, or advisers in connection with a merger, acquisition, financing, or restructuring, subject to confidentiality obligations, on the legal basis identified in section 6.11; if a transaction completes, the acquirer will process data in accordance with its own privacy policy, of which you will be notified.
11. International Transfers
Atrio Sciences s.r.o. is established in the European Union. Most of our processing takes place within the EEA. However, certain service providers operate partly or wholly outside the EEA, in particular:
Email and productivity software (Google Workspace): operated by Google LLC, a US company. Google LLC participates in the EU–US Data Privacy Framework (DPF), adopted by the European Commission on 10 July 2023 as an adequacy decision for transfers to DPF-certified US organisations.
Our reliance on the EU–US Data Privacy Framework is conditional on the adequacy decision remaining in force. Should the Framework be suspended, repealed, or invalidated, we will rely on the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for the relevant transfers, supported by the supplementary measures and transfer impact assessment described below, without interruption to the protection afforded to your data.
Other non-EEA recipients: where no adequacy decision applies, we rely on the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914. Before relying on Standard Contractual Clauses, we carry out and document a transfer impact assessment (TIA) assessing the laws and practices of the destination country and the effectiveness of the Standard Contractual Clauses in light of those laws, and we implement supplementary technical, contractual, and organisational measures (such as encryption in transit and at rest, and strict access controls) where the assessment identifies residual risk.
Where a transfer cannot be adequately protected by one of the above mechanisms, we will not proceed with that transfer until an appropriate safeguard is in place or a derogation under Article 49 GDPR applies. The current list of recipients outside the EEA and their respective transfer mechanisms is maintained in our records. You may request a summary of the relevant transfer impact assessment and a copy of the relevant transfer safeguards by contacting info@condorresearch.com.
12. Data Retention
We retain personal data only for as long as necessary for the specific purpose for which it was collected, having regard to legal obligations, legitimate interests, and the principles of data minimisation and storage limitation under Article 5(1)(e) GDPR.
The following retention periods are maximum periods. We delete or anonymise earlier where the purpose is exhausted, and we review retained records periodically.
| Category | Retention period | Basis |
|---|---|---|
| Account data (active account) | Duration of account + 2 years post-closure (the post-closure period reflecting the applicable Slovak limitation period for claims arising from the relationship) | Contract; legitimate interest |
| Order, invoice, payment, and VAT records | 10 years from the end of the accounting period | Zákon č. 431/2002 Z.z. (accounting); VAT Act |
| Customs and export documentation | 5 years, subject to any longer period required by customs law | Legal obligation |
| Compliance records (refused orders, blacklisted accounts, misuse records) | Up to 5 years post-event. Where an active and documented risk of repeated misuse justifies longer retention, the record is reviewed at least every 12 months and deleted once the risk no longer subsists or the relevant limitation period expires, whichever is later; in no case is it retained longer than necessary for the establishment, exercise, or defence of legal claims | Legitimate interest; Article 9(2)(f) / Article 17(3)(e) where the record reflects volunteered health-related matters (section 7) |
| Customer support communications | 3 years from resolution, or longer where subject to active dispute, subject to deletion once the applicable Slovak limitation period has expired | Legitimate interest |
| Marketing consent and unsubscribe records | Proof-of-consent and opt-out records retained for the duration of the relationship plus the applicable limitation period (maximum 4 years from the last relevant event). Marketing itself ceases on withdrawal or, for soft opt-in, one year after the end of the contractual relationship | Legal obligation; legitimate interest |
| Technical server logs and security logs | 12 months | Legitimate interest (security) |
| Batch traceability and product quality records | Duration of product supply-chain relevance + 5 years, subject to review and to deletion once the applicable Slovak limitation period has expired | Legal obligation (product/chemical safety); legitimate interest |
| Sanctions screening records | 5 years | Legal obligation (sanctions/restrictive-measures compliance) |
For any record retained “or longer where necessary” or for an open-ended period, retention is in every case subject to review and to deletion once the applicable Slovak limitation period (the general limitation period under §101 et seq. of the Civil Code (Zákon č. 40/1964 Zb.), or §397 of the Commercial Code (Zákon č. 513/1991 Zb.) for commercial relationships) has expired, unless a specific statutory retention obligation requires otherwise.
When data is no longer required, we delete, anonymise, or securely destroy it. Where a communication or record necessarily reflects a data subject’s stated intention to use Products otherwise than for research (which may incidentally touch on health-related matters the data subject volunteered), we retain only the minimum necessary and process and retain it under Article 9(2)(f) GDPR and Article 17(3)(e) GDPR, as described in section 7. Where anonymisation is not technically feasible, we apply access restrictions to limit further processing.
13. Your Rights and How to Exercise Them
Under the GDPR and applicable Slovak data protection law, you have the following rights, subject to the conditions, limitations, and exemptions set out in Articles 12–23 GDPR:
13.1 Right of Access (Art. 15)
You may request confirmation of whether we process your personal data and, if so, a copy of that data and the information listed in Article 15(1) GDPR. The right to obtain a copy of your data does not adversely affect the rights and freedoms of others (Article 15(4) GDPR); accordingly, we may redact information that would reveal personal data of, or confidential information relating to, third parties, internal investigations, or our fraud-prevention and compliance methods.
13.2 Right to Rectification (Art. 16)
You may request correction of inaccurate or completion of incomplete personal data.
13.3 Right to Erasure (Art. 17)
You may request deletion of your personal data where it is no longer necessary for the purposes collected, where you have withdrawn consent, where you have successfully objected, or where processing is unlawful. This right does not apply where retention is required by law, where data is necessary for the establishment, exercise, or defence of legal claims (including the compliance and misuse records described in sections 7 and 12), or where other exemptions under Article 17(3) GDPR apply.
13.4 Right to Restriction (Art. 18)
You may request that we restrict processing of your data in the circumstances described in Article 18(1) GDPR (e.g., while accuracy is contested, or where you have objected and we are assessing whether our legitimate interests override yours).
13.5 Right to Data Portability (Art. 20)
Where processing is based on consent or contract performance and is carried out by automated means, you may request a copy of your personal data in a structured, commonly used, and machine-readable format (JSON or CSV), and request that it be transmitted directly to another controller where technically feasible. This right applies to data you have provided to us, not to data we have independently generated (such as compliance assessments or internal notes).
13.6 Right to Object (Art. 21)
You have the right to object at any time to processing based on legitimate interests (Art. 6(1)(f)), including profiling, where you have grounds relating to your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests or rights, or unless the processing is necessary for the establishment, exercise, or defence of legal claims.
You have an unconditional right to object to processing for direct marketing purposes (including any profiling, preference, or analytical surveys that constitute direct marketing) at any time, without the need to provide grounds.
Effect of a valid objection: If you object to marketing processing, we will stop sending marketing communications as set out in section 18.4. Where screening or order-review processing is necessary to perform the contract or to comply with a legal obligation (including sanctions and product-restriction compliance), we cannot conclude or fulfil the order without it; this is a consequence of those legal and contractual requirements and not a penalty for exercising a data-protection right. In relation to the establishment, exercise, or defence of legal claims and the prevention of repeated misuse, the compliance records described in sections 7 and 12 are retained notwithstanding an objection.
13.7 Right to Withdraw Consent (Art. 7(3))
Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. To withdraw marketing consent, use the unsubscribe link in any communication or contact info@condorresearch.com.
13.8 Rights Regarding Automated Decision-Making (Art. 22)
See section 8.2. You may contact us to request human review of any significantly impactful automated decision; for blocked, cancelled, or restricted orders, the expedited human-review procedure in section 8.2 applies.
13.9 How to Submit a Request
Submit requests to info@condorresearch.com with the subject line “Privacy Request — [Right].”
Response time: We will acknowledge your request promptly and respond within one month of receipt. Where a request is complex or numerous, we may extend this period by a further two months, in which case we will notify you of the extension and the reasons within the first month. The expedited timeframe in section 8.2 applies to human review of order-blocking decisions.
Identity verification: We may ask you to verify your identity before processing a request, to protect your data from unauthorised disclosure. Where we have reasonable doubts about the identity of the person making a request, we may request additional information necessary to confirm your identity (Article 12(6) GDPR). The one-month period begins only once we have received sufficient information to verify your identity and to identify the data concerned.
Costs: Responding to requests is free of charge. Where requests are manifestly unfounded or excessive (in particular repetitive), we may charge a reasonable administrative fee or refuse to act, in which case we will inform you of our reasons and your right to complain.
14. Right to Lodge a Complaint
You have the right to lodge a complaint with a competent supervisory authority if you believe that our processing of your personal data infringes the GDPR or applicable Slovak data protection law.
The lead supervisory authority for Atrio Sciences s.r.o. is:
Úrad na ochranu osobných údajov Slovenskej republiky
(Office for Personal Data Protection of the Slovak Republic)
Hraničná 12, 820 07 Bratislava 27, Slovak Republic
Tel: +421 2 3231 3214
Email: statny.dozor@pdp.gov.sk
Website: https://dataprotection.gov.sk/
You may also lodge a complaint with the supervisory authority in your EU Member State of habitual residence, place of work, or the place where the alleged infringement occurred (Article 77 GDPR).
We ask that you contact us first so that we may address your concern directly before escalation.
15. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, disclosure, alteration, or destruction, in accordance with Article 32 GDPR. Current measures include, without limitation:
(a) encryption in transit — all Website traffic is served over HTTPS/TLS using a valid SSL certificate issued via Let’s Encrypt, maintained on Cloudways infrastructure;
(b) password hashing — customer account passwords are stored using WordPress’s bcrypt-based hashing mechanism; plain-text passwords are never stored;
(c) access controls — administrative access to the Website, hosting environment, and business systems is restricted to authorised personnel and protected by strong credentials;
(d) server-side security — the hosting environment applies firewall rules, automated backups, and operating system security patches;
(e) processor contractual obligations — service providers with access to personal data are required by contract to implement appropriate security measures;
(f) data minimisation — we collect only the data necessary for the purposes described in this Policy.
No system is completely immune to risk. You are responsible for maintaining the security of your account credentials and for notifying us promptly at info@condorresearch.com if you suspect unauthorised access to your account.
16. Data Breach Notification
In the event of a personal data breach as defined in Article 4(12) GDPR, we will:
(a) assess the breach promptly and document it in our internal breach register;
(b) notify the Office for Personal Data Protection of the Slovak Republic without undue delay, and where feasible within 72 hours of becoming aware, where the breach is likely to result in a risk to the rights and freedoms of natural persons (Article 33 GDPR);
(c) notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, describing the nature of the breach, likely consequences, and measures taken or proposed (Article 34 GDPR), unless an exemption applies.
Notification to individuals will be made by email to the address associated with their account, or by a prominent notice on the Website where direct notification is not reasonably practicable.
We require all processors, by contract, to notify us of any personal data breach affecting your data without undue delay after becoming aware of it, so that we can meet our own notification deadlines. We document all personal data breaches, including the facts, effects, and remedial action, whether or not they are notifiable, in our internal breach register, in accordance with Article 33(5) GDPR.
17. Children and Minors
The Website is intended exclusively for adults aged 18 or over, acting in a professional, scientific, analytical, educational, or industrial research capacity. We do not knowingly collect personal data from persons under 18.
If we become aware that personal data has been provided by, or an order placed by, a person under 18, we will delete the data, cancel the order, close the account, and take any other appropriate action without delay.
If you are a parent or guardian and believe a minor has submitted data to us, please contact info@condorresearch.com immediately.
18. Marketing Communications
18.1 Consent-Based Marketing
Where required by applicable ePrivacy rules (Directive 2002/58/EC as transposed in Slovakia by Zákon č. 452/2021 Z.z., as amended), we will send marketing emails only to recipients who have given prior, freely given, specific, informed, and unambiguous consent. Consent is collected via a compliant opt-in mechanism at the point of subscription and is recorded with a timestamp, consent text, and method.
18.2 Existing Customer Communications (Soft Opt-In)
Where permitted by §116 of Act 452/2021 Z.z., we may send marketing communications concerning our own goods or services similar to those previously purchased, to an existing customer whose email address we obtained in connection with that sale, provided that:
(a) the communication relates to our own similar research products or services;
(b) the customer was given a clear, free opportunity to object to such use at the time the address was collected and is given that opportunity in every subsequent communication;
(c) the customer has not objected or unsubscribed; and
(d) no more than one year has elapsed since the end of the relevant contractual relationship.
After one year from the end of the contractual relationship, we will not send soft opt-in marketing without obtaining fresh consent. Where any communication involves profiling, preference, or analytical surveys within the meaning of §116, we treat it as direct marketing subject to this section and to the right to object under section 13.6.
18.3 Transactional and Service Communications
Order confirmations, shipping notifications, payment receipts, account security alerts, compliance notifications, and essential service messages are sent on the basis of contract performance or legitimate interests and are not affected by marketing opt-outs.
18.4 Opt-Out
You may opt out of all marketing communications at any time by: (a) clicking the unsubscribe link in any email; or (b) contacting info@condorresearch.com with the subject line “Unsubscribe.” We action opt-out requests without undue delay and will stop sending marketing communications as soon as practicable, and in any event at the latest within a few working days; we do not impose any minimum period before an objection to direct marketing takes effect. Unsubscribe records are retained to evidence compliance with opt-out obligations.
19. Third-Party Links and Services
The Website may contain links to third-party websites, scientific databases (including PubMed), payment providers, carrier portals, and other external services. These third parties operate independently and are not subject to this Privacy Policy. We are not responsible for their privacy practices, content, or security. We encourage you to review the privacy policies of any third-party services you access.
20. Changes to This Privacy Policy
This Privacy Policy is an information notice. We may update it periodically to reflect changes in our business operations, technical infrastructure, legal obligations, service providers, or data protection practices.
We will inform you of material changes by updating the “Last updated” date and the version number and, where the changes are significant, by means of a notice on the Website or by direct notification to registered customers. Where any change introduces new processing that requires your consent, we will obtain that consent separately through a clear affirmative action; continued use of the Website does not constitute consent to such new processing. For processing based on legitimate interests or contract, the updated Policy describes how we will process your data going forward.
This Privacy Policy does not by itself amend the Terms and Conditions or any contract. Where a change to how we process personal data is relevant to the contract, the Terms and Conditions and their variation mechanism govern any contractual change.
21. Contact
For all privacy-related inquiries, rights requests, or complaints:
Atrio Sciences s.r.o.
IČO: 57 669 651
Hornočermánska 1556/76, 949 01 Nitra, Slovak Republic
Email: info@condorresearch.com (subject: “Privacy Request”)
Website: www.condorresearch.com