Privacy Policy

Information about the personal data controller:

“MILOTKA” Ltd., is a company registered in the Commercial Register of the Registry Agency with UIC 206293003, with headquarters and address of management: 1172 Sofia, 126 Tintyava Str., entr. А, fl. 5, ap. 15, Tel: +35924393553; e-mail:

Reasons and purposes for which we use your personal data

We process your personal data on the following grounds:

  • The contract concluded between us and you, in order to fulfil our obligations under it;
  • Explicit consent from you – the purpose is specified for each case;
  • In case of a statutory obligation;

In the following paragraphs you will find detailed information about the processing of your personal data, depending on the basis on which we process it.


We process your personal data in order to fulfil the contractual and pre-contractual obligations and to exercise the rights under the contracts concluded with you.

Purposes of processing:

  • establishing your identity;
  • management and execution of your order and execution of a concluded contract;
  • preparation of a contract proposal;
  • preparation and sending of a bill/invoice for the services you use with us;
  • to provide you with the necessary comprehensive service, as well as to collect the amounts due for the services used;
  • keeping correspondence in connection with orders placed, processing orders, reporting problems, etc.
  • notification of everything related to the services you use with us;
  • customer history analysis;
  • detectable and/or preventable illegal actions or actions contrary to our terms and conditions for the respective services;

Data that we process on this basis:

On the basis of the contract concluded between us and you, we process information on the type and content of the contractual relationship, as well as any other information related to the contractual relationship, including:

  • personal contact details – contact address, email, phone number;
  • identification data – three names, personal number or personal number of a foreigner, permanent address;
  • data on the orders placed;
  • correspondence in connection with the overall service – e-mail, letters, information about your requests for troubleshooting, complaints, requests, demurrals, feedback we receive from you;
  • credit or debit card information, bank account number or other banking and payment information in connection with the payments made;
  • other information such as:
  • Customer number, code or other identifier created for identification;
  • IP address when visiting our website;
  • Demographic data
  • Social network profile data
  • Information from your activities on the site

The processing of the specified personal data is obligatory for us so that we can conclude the contract with you and fulfil it. Without the above information, we would not be able to fulfil our obligations under the contract.

We provide personal data to third parties

We provide your personal data to third parties, and our main goal is to offer you quality, fast and comprehensive service. We do not provide your personal data to third parties until we have made sure that all technical and organizational measures have been taken to protect this data, and we strive to exercise strict control over the implementation of this purpose. In this case, we remain responsible for the privacy and security of your data.

We provide personal data to the following categories of recipients (personal data controllers):

  • postal operators and courier companies;
  • persons who, on assignment, maintain equipment, software and hardware used for personal data processing and necessary for the company’s activity;
  • persons providing consulting services in various fields.

When we delete data collected on this basis

We delete the data collected on this basis 180 days after the termination of the contractual relationship, regardless of whether due to the expiration of the contract, cancellation or other grounds.


It is possible that the law provides for an obligation for us to process your personal data. In these cases, we are obliged to carry out the processing, such as:

  • Obligations under the Measures Against Money Laundering Act;
  • Fulfilment of obligations in connection with distance selling, off-site sales, provided for in the Consumer Protection Act;
  • Providing information to the Consumer Protection Commission or third parties provided for in the Consumer Protection Act;
  • Providing information to the Commission for Personal Data Protection in connection with obligations under the data protection legislation;
  • Obligations provided for in the Accounting Act and the Tax and Social Insurance Procedure Code and other related regulations in connection with the keeping of lawful accounting;
  • Providing information to the court and third parties, in court proceedings, in accordance with the requirements of the applicable regulations;
  • Age verification for online shopping.

When we delete personal data collected on this basis

We delete the data collected in accordance with an obligation provided for in the law, after the obligation for collection and storage has been fulfilled or is no longer applicable. For example:

  • under the Accounting Act for storage and processing of accounting data (11 years),
  • obligations to provide information to the court, competent state authorities and other grounds provided for in the current legislation (5 years).


Providing data to third parties

When there is an obligation for us by law, it is possible for us to provide your personal data to the competent state authority, natural or legal person.


We process your personal data on this basis only after your explicit, unambiguous and voluntary consent. We will not foresee any adverse consequences for you if you refuse the processing of personal data.

Consent is a separate basis for the processing of your personal data and the purpose of the processing is stated in it, and is not covered by the purposes listed in this policy. If you give us the relevant consent and until its withdrawal or termination of any contractual relationship with you, we prepare suitable for you offers for products/services, performing detailed analyses of your basic personal data;

Data that we process on this basis:

On this basis, we process only the data for which you have given us your explicit consent. Specific data is determined for each individual case. Usually this information is email, names and phone number.

Providing data to third parties

On this basis, we may provide your data to marketing agencies, Facebook, Google or the like.

Withdrawal of consent

The consents granted may be withdrawn at any time. Withdrawal of consent shall not affect the performance of the contractual obligations. If you withdraw your consent to the processing of personal data for some or all of the ways described above, we will not use your personal data and information for the purposes set out above. Withdrawal of consent shall not affect the lawfulness of the processing based on a consent prior to its withdrawal.

In order to withdraw your consent, you only need to use our website or just our contact details.

When we delete data collected on this basis

We delete the data collected on this basis at your request or 180 days after its initial collection.


We process your data for statistical purposes, i.e., for analyses in which the results are only summary and therefore the data is anonymous. It is not possible to identify a specific person from this information.

Your data can also be anonymized. Anonymization is an alternative to deleting data. Upon anonymization, all personally identifiable items / items that allow your identification are permanently deleted. There is no legal obligation for anonymized data to be deleted, as it does not constitute personal data.

Why and how we use automated algorithms

For the processing of your personal data, we use partially automated algorithms and methods in order to constantly improve our products and services, to adapt our products and services to your needs in the best possible way. This process is called profiling.

How we protect your personal data

To ensure adequate data protection of the company and its customers, we apply all necessary organizational and technical measures provided for in the Personal Data Protection Act.

The company has established rules to prevent misuse and security breaches, which supports the processes of protecting and securing your data.

In order to ensure maximum security in the processing, transmission and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc.

Personal data that we have received from 3rd parties

We receive personal data from the following 3rd parties: Facebook and Google.

User rights

Each User of the site enjoys all rights for personal data protection according to the Bulgarian legislation and the law of the European Union.

The user can exercise their rights via the contact form or by sending a message to our email.

Each User has the right to:

  • Information (in connection with the processing of his/her personal data by the controller);
  • Access to his/her own personal data;
  • Correction (if data is inaccurate);
  • Deletion of personal data (“right to be forgotten”);
  • Restriction of processing by the controller or processor of personal data;
  • Transferability of personal data between individual controllers;
  • Objection to the processing of his personal data;
  • The data subject is also entitled not to be the subject of a decision based solely on automated processing, including profiling, which has legal consequences for the data subject or similarly affects him significantly;
  • The right to judicial or administrative protection in the event that the data subject’s rights have been violated.

The user may request deletion if one of the following conditions is met:

  • Personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  • The user withdraws his/her consent on which the data processing is based and there is no other legal basis for the processing;
  • The user objects to the processing and there are no legal grounds for the processing to take precedence;
  • Personal data has been processed illegally;
  • Personal data must be deleted in order to comply with a legal obligation under Union law or the law of a Member State applicable to the controller;
  • Personal data has been collected in connection with the provision of information society services to children and the consent has been given by the parent responsible for the child.

The user has the right to restrict the processing of his/her personal data by the controller when:

  • The accuracy of personal data has been disputed. In this case, the restriction of processing is for a period that allows the controller to verify the accuracy of personal data;
  • The processing is illegal, but the User does not want the personal data to be deleted, but instead requires their use to be restricted;
  • The Controller no longer needs the personal data for the purposes of processing, but the User requires them for the establishment, exercise or protection of legal claims;
  • Objects to processing pending verification of whether the controller’s legal grounds take precedence over the User’s interests.

Right to transferability

The data subject has the right to receive the personal data concerning him/her and which he/she has provided to the controller, in a structured, widely used and machine-readable format and has the right to transfer this data to another controller without hindrance from the controller to whom the personal data has been provided, when the processing is based on consent or a contractual obligation and the processing is carried out in an automated manner. When exercising its right to data portability, the data subject shall also have the right to receive a direct transfer of personal data from one controller to another where this is technically feasible.

Right to object

Users have the right to object to the processing of their personal data by the controller. The controller of personal data shall be obliged to terminate the processing, unless he proves that there are convincing legal grounds for the processing, which take precedence over the interests, rights and freedoms of the data subject, or for establishing, exercising or defending legal claims. In the event of an objection to the processing of personal data for direct marketing purposes, the processing should be terminated immediately.

Complaint to the supervisory authority

Each User has the right to file a complaint against illegal processing of his/her personal data to the Commission for Personal Data Protection or to the competent court.

Register maintenance

We keep a register of the processing activities for which we are responsible. This register contains all the information listed below:

  • The name and contact details of the controller;
  • Processing purposes;
  • Description of the data subject categories and the personal data categories;
  • The categories of recipients to whom the personal data is or will be disclosed;
  • Including recipients in third countries or international organizations;
  • Where possible, the deadlines for deleting the different categories of data;
  • Where possible, a general description of the technical and organizational security measures.