ALN - Construct

Privacy Policy

Article 1
Introductory Provisions
These Privacy Policy on Personal Data Processing (hereinafter referred to as the “Policy”) are prepared in accordance with the requirements of:
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter “GDPR”),
• Act No. 18/2018 Coll. on Personal Data Protection and on amendments and supplements to certain acts, as amended (hereinafter the “Personal Data Protection Act”).

Controller:
ALN – Construct, s.r.o.
Registered office: Dyčka 261, 952 01 Vráble, Slovak Republic
Company ID: 53882938
Tax ID: 2121517959
VAT ID: SK2121517959
Registered in the Commercial Register of the District Court Nitra, Section: Sro, Entry Number: 55847/N
Email: alnconstruct.sk@gmail.com
Phone: +421 948 094 275
Website: www.aln-construct.com

This Policy provides clear, transparent, and complete information to data subjects about:
a. the purposes and legal bases of personal data processing,
b. the scope of processed data,
c. categories of recipients,
d. retention periods,
e. the rights of data subjects,
f. conditions for exercising these rights,
g. transfers to third countries,
h. the use of cookies and other tracking technologies,
i. security measures for data protection.

The controller processes personal data transparently, lawfully, and fairly, following the principles of processing under Article 5 GDPR, specifically the principles of:
a. lawfulness, fairness, and transparency,
b. purpose limitation,
c. data minimization,
d. accuracy,
e. storage limitation,
f. integrity and confidentiality.

The controller has implemented appropriate technical and organizational measures to ensure personal data protection, particularly:
a) securing the website with an SSL certificate,
b) restricting access rights to authorized persons,
c) using strong passwords and two-factor authentication,
d) regularly updating software and security systems,
e) regular data backups,
f) encryption of communications,
g) physical security of devices and workstations.

Article 2
Definitions
For the purposes of this Policy, the following terms have the meanings ascribed to them:

  1. Personal Data – any information relating to an identified or identifiable natural person (hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, surname, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person (Art. 4(1) GDPR).

  2. Data Subject – a natural person whose personal data are processed and who is identified or identifiable. The data subject has the rights specified in this Policy, the GDPR, and the Personal Data Protection Act.

  3. Processing of Personal Data – any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction (Art. 4(2) GDPR).

  4. Controller – a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the criteria for its designation may be provided by such law (Art. 4(7) GDPR).

  5. Processor – a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller, based on a data processing agreement pursuant to Art. 28 GDPR and § 34 et seq. of the Personal Data Protection Act.

  6. Third Party – a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, or persons authorized to process personal data under the direct authority of the controller or processor.

The controller does not perform automated individual decision-making, including profiling, under Art. 22 GDPR. If this occurs in the future, the controller will provide all legally required information to data subjects.

Article 3
Contact Details of the Controller
The controller within the meaning of Art. 4(7) GDPR and § 5(c) of Act No. 18/2018 Coll. is:
ALN – Construct, s.r.o.
Registered office: Dyčka 261, 952 01 Vráble, Slovak Republic
Company ID: 53882938
Tax ID: 2121517959
VAT ID: SK2121517959
Registered in the Commercial Register of the District Court Nitra, Section: Sro, Entry Number: 55847/N
Email: alnconstruct.sk@gmail.com
Phone: +421 948 094 275
Website: www.aln-construct.com

The data subject may contact the controller regarding personal data processing:

a. in writing at the registered office,
b. electronically at the email address alnconstruct.sk@gmail.com,
c. by phone at +421 948 094 275,
d. via the contact form available on the controller’s website www.aln-construct.com/contact/.

The controller is not obliged to appoint a data protection officer under Art. 37 GDPR. All questions regarding personal data protection may be addressed to the above contacts.

Article 4
Categories of Processed Personal Data
The controller processes personal data to the extent necessary to achieve the stated purposes, always observing the data minimization principle under Art. 5(1)(c) GDPR.

The processed data include, in particular:
a. Identification Data: Name and surname, trade name (for sole traders), Company ID, Tax ID / VAT ID, and other identification data specified in contracts or orders.
b. Contact Data: Email address, phone number, permanent address or business address, and correspondence address, if applicable.
c. Order and Transaction Data: Information about purchased products or services, date and time of order, method and date of payment, invoice number or variable symbol.
d. Service-related Data: Information necessary for the execution of ordered works, technical specifications of projects, data included in orders or contracts.
e. Technical Data: IP address, type and version of device and browser, operational and log records, data from cookies and other visitor tracking technologies (e.g., Google Analytics).

Source of Personal Data:
The controller primarily obtains personal data directly from the data subject (e.g., through an order, contact form, registration, or email communication). In justified cases, personal data may also be obtained from a third party (e.g., business partner or service client), or from publicly available sources, if necessary for contract performance or the legitimate interest of the controller.

Article 5
Purposes of Processing and Legal Bases

Purpose of ProcessingLegal BasisDescription
Performance of a contractArt. 6(1)(b) GDPRProcessing is necessary for the conclusion and performance of a contract with the data subject, particularly for handling orders, providing services, or delivering digital content.
Compliance with legal obligationArt. 6(1)(c) GDPRProcessing is necessary to fulfill obligations arising from legal regulations, e.g., accounting, tax obligations, or contract archiving.
Legitimate interests of the ControllerArt. 6(1)(f) GDPRProcessing is necessary for the legitimate interests of the controller, particularly for communication with customers, handling complaints, protecting legal claims, preventing fraud, or ensuring website security.


Obligation to provide personal data: Providing personal data is a contractual requirement. Without providing the necessary personal data, it is not possible to conclude a contract or provide the ordered service.
In the case of legal obligations (e.g., accounting or tax regulations), providing personal data is mandatory. Failure to provide data may result in the inability to perform the legal act or meet the legal obligation.

Before processing personal data based on legitimate interest, the controller conducted a proportionality and balancing test and concluded that its legitimate interests do not override the rights and freedoms of data subjects

Article 6
Principles of Cookies Usage

Type of CookiesPurpose of ProcessingLegal BasisRetention Period
Necessary (technical)Ensure basic operation of the website and its functions, such as remembering login, saving cart contents, or managing security elements.§ 109(8) of Act No. 452/2021 Coll. on electronic communications; processing of related personal data is based on legitimate interest under Art. 6(1)(f) GDPR.During session or until deletion by the user.
PreferenceRemember user settings and preferences (e.g., language, region, display settings).Art. 6(1)(a) GDPR – consent of the data subject.6–12 months or until withdrawal of consent.
Statistical (analytical)Collect anonymous data on website traffic and user behavior to improve website functionality and content (e.g., Google Analytics).Art. 6(1)(a) GDPR – consent of the data subject.14 months or until withdrawal of consent.

When using Google Analytics, the controller activates IP anonymization to ensure that the IP address is shortened before further processing.
Use of cookies that are not necessary for website operation is performed exclusively based on the prior consent of the website visitor. This consent can be withdrawn at any time via browser settings or cookie management on the controller’s website. Necessary cookies ensuring technical functionality of the website and service provision are stored even without user consent, based on the controller’s legitimate interest and in accordance with § 109(8) of Act No. 452/2021 Coll. on electronic communications.

Article 7
Recipients of Personal Data

  1. The controller provides personal data only to verified and trustworthy recipients who ensure an appropriate level of data protection, in the course of fulfilling contractual and legal obligations and website operation. Personal data may be provided, in particular, to the following categories of recipients:
    a. Websupport s. r. o. – provision of web hosting and domain services, processing identification, contact, and technical data based on Art. 6(1)(b) and (f) GDPR.
    b. MN Webstudio s.r.o. – IT administration, website maintenance, and technical support, processing technical and access data based on legitimate interest under Art. 6(1)(f) GDPR.
    c. Google Ireland Ltd. – provision of analytical services (Google Analytics), email communication (Gmail), and cloud services, processing contact, technical, and analytical data based on consent under Art. 6(1)(a) GDPR and legitimate interest under Art. 6(1)(f) GDPR.

  2. All listed recipients process personal data exclusively based on a written contract or other legal act in accordance with Art. 28 GDPR and commit to ensure appropriate technical and organizational measures to protect personal data.

Article 8
Transfers of Personal Data to Third Countries

  1. The controller processes personal data primarily within the territory of the Slovak Republic and EU or EEA member states. In cases where transfer to third countries that do not ensure an adequate level of protection according to the European Commission is necessary, such transfer takes place only under the conditions of Chapter V GDPR, in particular:
    a. based on an adequacy decision of the European Commission under Art. 45 GDPR,
    b. or by applying appropriate safeguards under Art. 46 GDPR, including standard contractual clauses issued by the European Commission,
    c. or if one of the exceptions under Art. 49 GDPR applies (e.g., explicit consent of the data subject, performance of a contract, assertion of legal claims).

  2. In case of data transfer to the USA, particularly when using services from providers such as Google, the controller ensures that the recipient participates in the EU-U.S. Data Privacy Framework or that standard contractual clauses approved by the European Commission are concluded.

Article 9
Retention Periods of Personal Data

  1. Personal data are retained only for as long as necessary to fulfill the purposes for which they are processed and in accordance with the minimization principle under Art. 5(1)(c) and (e) GDPR. After this period, data are securely deleted or anonymized.

  2. Specific retention periods are as follows:
    a. Data related to contract performance and orders – 10 years from the termination of the contractual relationship (in accordance with accounting and tax laws).
    b. Data necessary to assert legal claims – for the statute of limitations period under the Civil Code (usually 3 years, for some claims up to 10 years).
    c. Data from contact forms – up to 12 months from receipt if no contract is concluded.
    d. Data from cookies – according to the type of cookie (see Article on Cookies Usage).

  3. After the expiry of these periods, the controller securely disposes of or anonymizes personal data so that they cannot be linked back to the data subject.

Article 10
Rights of Data Subjects
The data subject (hereinafter “applicant”) has, in accordance with Articles 12–22 and 34 GDPR, as well as §§ 21–28 of Act No. 18/2018 Coll., the following rights, which may be exercised against the controller:

  1. Right of Access to Personal Data
    a. Under Art. 15 GDPR and § 21 of the Act, the applicant has the right to obtain confirmation from the controller as to whether their personal data are being processed and, if so, access to such data.
    b. This right includes information about the purposes of processing, categories of personal data, recipients or categories of recipients, retention period, rights of the data subject, the right to lodge a complaint with the supervisory authority, as well as information on the source of data and any automated decision-making including profiling.
    c. The controller is obliged to provide a copy of the processed personal data; for additional copies, a reasonable administrative fee may be charged.

  2. Right to Rectification
    Under Art. 16 GDPR and § 22 of the Act, the applicant has the right to rectify inaccurate personal data concerning them and to complete incomplete data without undue delay.

  3. Right to Erasure (“Right to be Forgotten”)
    a. Under Art. 17 GDPR and § 23 of the Act, the applicant has the right to have personal data erased if one of the reasons in these provisions applies, for example:
    i. the data are no longer necessary for the purposes for which they were collected,
    ii. the applicant has withdrawn consent on which the processing is based, and no other legal basis exists,
    iii. the applicant objects to processing and there are no overriding legitimate grounds for processing,
    iv. the data have been unlawfully processed.
    b. This right does not apply if processing is necessary for compliance with a legal obligation, archiving in the public interest, scientific or historical research, statistics, or for establishing, exercising, or defending legal claims.

  4. Right to Restriction of Processing
    Under Art. 18 GDPR and § 24 of the Act, the applicant has the right to restrict processing if:
    a. the accuracy of the data is contested during the verification period,
    b. processing is unlawful, and the applicant requests restriction instead of erasure,
    c. the controller no longer needs the personal data for processing purposes, but the applicant requires them for establishing, exercising, or defending legal claims,
    d. the applicant has objected to processing, pending verification of whether the controller’s legitimate grounds override the applicant’s reasons.

  5. Right to Data Portability
    Under Art. 20 GDPR and § 26 of the Act, the applicant has the right to receive personal data provided to the controller in a structured, commonly used, and machine-readable format and to transmit these data to another controller if processing is based on consent or contract and performed by automated means.

  6. Right to Object to Processing
    a. Under Art. 21 GDPR and § 27 of the Act, the applicant has the right to object at any time to the processing of personal data based on the controller’s legitimate interests or the performance of a task in the public interest, including profiling.

  7. Right to Withdraw Consent
    Under Art. 7(3) GDPR, the applicant has the right to withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

  8. Right to Lodge a Complaint with a Supervisory Authority
    a. Under Art. 77 GDPR and § 100 of the Act, the applicant has the right to lodge a complaint with the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava, Slovak Republic, if they believe their rights have been violated.
    b. Website: www.dataprotection.gov.sk, email: statny.dozor@pdp.gov.sk.

  9. Procedure for Exercising Rights:
    Requests to exercise rights can be addressed in writing to the controller’s registered office or electronically to the email provided in this Policy. The controller is obliged to handle the request without undue delay, at the latest within one month of receipt. In justified cases, this period may be extended by an additional two months, with prior notice to the applicant.

Article 11
Final Provisions

  1. This Privacy Policy on Personal Data Processing comes into effect on 13.03.2026 and is published on the controller’s website.

  2. The controller is entitled to amend or supplement this Policy at any time, particularly due to legislative changes, decisions of relevant authorities, or changes in personal data processing methods. The current version of the Policy is always published on the controller’s website.

  3. In the event of a substantial change to the Policy that may affect the rights or obligations of data subjects, the controller will inform them appropriately, particularly via email or a visible notice on the website.

  4. Legal relationships not regulated by this Policy are governed directly by applicable EU regulations, particularly Regulation (EU) 2016/679 (GDPR), and Act No. 18/2018 Coll. on Personal Data Protection and amendments to certain acts.

Artikel 4

Kategorien der verarbeiteten personenbezogenen Daten

Der Verantwortliche verarbeitet personenbezogene Daten nur im Umfang, der zur Erreichung der festgelegten Zwecke erforderlich ist, und beachtet dabei stets das Prinzip der Datenminimierung gemäß Art. 5 Abs. 1 lit. c DSGVO.

Zu den verarbeiteten Daten gehören insbesondere:
a. Identifikationsdaten: Name und Nachname, Firmenname (bei Unternehmern – natürlichen Personen), Registernummer (IČO), Steuer-ID/USt-IdNr. (DIČ/IČ DPH) und weitere in Verträgen oder Bestellungen angegebene Identifikationsdaten.
b. Kontaktdaten: E-Mail-Adresse, Telefonnummer, Wohn- oder Geschäftsadresse, ggf. Korrespondenzadresse.
c. Daten zu Bestellungen und Transaktionen: Informationen zu gekauften Produkten oder Dienstleistungen, Datum und Uhrzeit der Bestellung, Zahlungsart und -datum, Rechnungsnummer oder variabler Verwendungszweck.
d. Daten im Zusammenhang mit der Leistungserbringung: Informationen zur Durchführung bestellter Arbeiten, technische Projektspezifikationen, Daten aus Bestellungen oder Verträgen.
e. Technische Daten: IP-Adresse, Gerätetyp und Browser-Version, Betriebs- und Logdaten, Daten aus Cookies und anderen Tracking-Technologien (z. B. Google Analytics).

Quelle der personenbezogenen Daten:
Die Daten werden primär direkt von der betroffenen Person erhoben (z. B. über Bestellungen, Kontaktformulare, Registrierung oder E-Mail-Kommunikation). In begründeten Fällen können Daten auch von Dritten (z. B. Geschäftspartnern) oder aus öffentlich zugänglichen Quellen bezogen werden, sofern dies für die Vertragserfüllung oder berechtigte Interessen des Verantwortlichen erforderlich ist.