Privacy Policy

Information about the personal data controller:

"MILOTKA" EOOD is a company registered in the Commercial Register of the Registry Agency with UIC 206293003, with registered office and management address: Sofia, PO Box 1172, 126 Tintyava St., entrance A, floor 5, apt. 15, Tel: +35924393553; e-mail: info@milotka.com.

Grounds and purposes for which we use your personal data

We process your personal data on the following grounds:

  • A contract concluded between us and you, in order to fulfill our obligations under it;
  • Explicit consent from you – the purpose is specified for each specific case;
  • If there is a legal obligation;

In the following paragraphs you will find detailed information about the processing of your personal data, depending on the basis on which we process it.

FOR THE PERFORMANCE OF A CONTRACT OR IN THE CONTEXT OF PRE-CONTRACTUAL RELATIONS

We process your personal data to fulfill contractual and pre-contractual obligations and to exercise the rights under the contracts concluded with you.

Purposes of processing:

  • establishing your identity;
  • management and execution of your request and execution of a concluded contract;
  • preparation of a proposal for concluding a contract;
  • preparing and sending an invoice for the services you use with us;
  • to provide you with the comprehensive service you need, as well as to collect the amounts due for the services used;
  • maintaining correspondence regarding orders placed, processing requests, reporting problems, etc.
  • notification of everything related to the services you use with us;
  • customer history analysis;
  • detect and/or prevent illegal actions or actions in violation of our terms for the relevant services;

Data we process on this basis:

On the basis of the contract concluded between us and you, we process information about the type and content of the contractual relationship, as well as any other information related to the contractual relationship, including:

  • personal contact details – contact address, email, telephone number;
  • identification data  full name, single civil number or personal number of a foreigner, permanent address;
  • data on orders placed;
  • correspondence in connection with the overall service – e-mail, letters, information about your requests for troubleshooting, complaints, requests, grievances, feedback we receive from you;
  • credit or debit card information, bank account number or other banking and payment information in connection with payments made;

other information such as:

  • Customer number, code or other identifier created for identification;
  • IP address when visiting our website;
  • Demographic data
  • Social media profile data
  • Information from your actions on the site

The processing of the above personal data is mandatory for us in order to be able to conclude the contract with you and perform it. Without you providing us with the above data, we would not be able to perform our obligations under the contract.

We provide personal data to third parties

We provide your personal data to third parties, our main goal being to offer you quality, fast and comprehensive service. We do not provide your personal data to third parties before we ensure that all technical and organizational measures have been taken to protect this data, and we strive to exercise strict control to fulfill this goal. In this case, we remain responsible for the confidentiality and security of your data.

We provide personal data to the following categories of recipients (personal data controllers):

  • postal operators and courier companies;
  • persons who, by assignment, maintain equipment, software and hardware used for processing personal data and necessary for the company's activities;
  • persons providing consulting services in various fields.

When do we delete data collected on this basis?

We delete the data collected on this basis 180 days after the termination of the contractual relationship, whether due to expiration of the contract, cancellation or other reason.

FOR FULFILMENT OF REGULATORY OBLIGATIONS

We may be required by law to process your personal data. In these cases, we are required to carry out the processing, such as:

  • Obligations under the Anti-Money Laundering Measures Act;
  • Fulfillment of obligations in relation to distance selling, off-premises selling, as provided for in the Consumer Protection Act;
  • Providing information to the Consumer Protection Commission or third parties as provided for in the Consumer Protection Act;
  • Providing information to the Personal Data Protection Commission in relation to obligations provided for in the personal data protection legislation;
  • Obligations provided for in the Accountancy Act and the Tax and Social Security Procedure Code and other related regulatory acts, in connection with the keeping of legal accounting records;
  • Providing information to the court and third parties within the framework of proceedings before a court, in accordance with the requirements of the regulatory acts applicable to the proceedings;
  • Age verification when shopping online.

When do we delete personal data collected on this basis?

We delete data collected pursuant to a statutory obligation once the obligation to collect and store it has been fulfilled or has ceased to exist. For example:

  • under the Accounting Act for storage and processing of accounting data (11 years),
  • obligations to provide information to the court, competent state authorities, etc. grounds provided for in the current legislation (5 years).

Providing data to 3rd parties

When we are required by law to do so, we may provide your personal data to the competent government authority, natural person or legal entity.

AFTER YOUR CONSENT

We process your personal data on this basis only after your explicit, unambiguous and voluntary consent. We will not foresee any adverse consequences for you if you refuse to process your personal data.

Consent is a separate ground for processing your personal data and the purpose of the processing is specified therein, and is not covered by the purposes listed in this policy. If you give us the relevant consent and until its withdrawal or termination of any contractual relationship with you, we prepare suitable product/service offers for you by performing detailed analyses of your basic personal data;

Data we process on this basis:

On this basis, we only process data for which you have given us your explicit consent. The specific data is determined in each individual case. Typically, this data is email, name and telephone number.

Providing data to third parties

On this basis, we may provide your data to marketing agencies, Facebook, Google or similar.

Withdrawal of consent

The consents given can be withdrawn at any time. The withdrawal of consent has no impact on the performance of contractual obligations. If you withdraw your consent to the processing of personal data in any or all of the ways described above, we will not use your personal data and information for the purposes specified above. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

To withdraw the consent you have given, you only need to use our website or simply our contact details.

When do we delete data collected on this basis?

We delete the data collected on this basis upon your request or 180 days after its initial collection.

PROCESSING OF ANONYMIZED DATA

We process your data for static purposes, meaning for analyses in which the results are only aggregated and therefore the data is anonymous. It is not possible to identify a specific person from this information.

Your data can also be anonymized. Anonymization is an alternative to data deletion. With anonymization, all personally identifiable elements/elements that allow you to be identified are irreversibly deleted. There is no statutory obligation to delete anonymized data, as it does not constitute personal data.

Why and how we use automated algorithms

We use partially automated algorithms and methods to process your personal data in order to continuously improve our products and services and to adapt our products and services to your needs in the best possible way. This process is called profiling.

How we protect your personal data

To ensure adequate protection of the company's and its customers' data, we implement all necessary organizational and technical measures provided for in the Personal Data Protection Act.

The company has established rules to prevent abuse and security breaches, which supports the processes of protecting and ensuring the security of your data.

For the purpose of maximum security in the processing, transmission and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc.

Personal data we have received from 3rd parties

We receive personal data from the following 3rd parties: Facebook and Google.

Consumer Rights

Each User of the site enjoys all rights to personal data protection under Bulgarian legislation and European Union law.

The user can exercise his rights through the contact form or by sending a message to our email.

Every User has the right to:

  • Awareness (in relation to the processing of his personal data by the administrator);
  • Access to your own personal data;
  • Correction (if data is inaccurate);
  • Erasure of personal data (right to be forgotten);
  • Restriction of processing by the controller or processor of personal data;
  • Portability of personal data between individual administrators;
  • Objection to the processing of his/her personal data;
  • The data subject also has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her;
  • Right to judicial or administrative redress in the event that the data subject's rights have been violated.

The user may request deletion if one of the following conditions is met:

  • The personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • The user withdraws his/her consent on which the data processing is based and there is no other legal basis for the processing;
  • The user objects to the processing and there are no overriding legitimate grounds for the processing;
  • The personal data has been processed unlawfully;
  • The personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;
  • The personal data were collected in connection with the provision of information society services to children and consent was given by the person with parental responsibility for the child.

The user has the right to restrict the processing of his/her personal data by the administrator when:

  • You contest the accuracy of the personal data. In this case, the restriction of processing is for a period that allows the controller to verify the accuracy of the personal data;
  • The processing is unlawful, but the User does not want the personal data to be deleted, but instead requests a restriction of their use;
  • The Administrator no longer needs the personal data for the purposes of the processing, but the User requires them for the establishment, exercise or defense of legal claims;
  • Object to the processing pending verification of whether the legitimate grounds of the administrator override the interests of the User.

Right to portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where the processing is based on consent or a contractual obligation and the processing is carried out by automated means. When exercising the right to data portability, the data subject shall also have the right to obtain the direct transmission of the personal data from one controller to another, where technically feasible.

Right to object

Users have the right to object to the processing of their personal data to the controller. The controller shall be obliged to stop the processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. In the event of an objection to the processing of personal data for direct marketing purposes, the processing shall cease immediately.

Complaint to the supervisory authority

Every User has the right to file a complaint against unlawful processing of his/her personal data to the Personal Data Protection Commission or to the competent court.

Maintaining a register

We maintain a register of the processing activities for which we are responsible. This register contains all of the information listed below:

  • The name and contact details of the administrator;
  • The purposes of the processing;
  • Description of the categories of data subjects and the categories of personal data;
  • The categories of recipients to whom the personal data have been or will be disclosed;
  • Including recipients in third countries or international organizations;
  • Where possible, the envisaged deadlines for erasure of the different categories of data;

Where possible, a general description of the technical and organisational security measures.