We protect your data Privacy Policy

(In force as of 25.05.2018)

Personal data of visitors and registered users at the online store “Zoya Goes Pretty” (www.zoyagoespretty.com) is being processed for the purposes of of advertisement, sale and supply of healthy products as well as for affiliated purposes. Our mission is to be your favorite store for organic, healthy and natural cosmetics and ingredients. In order to accomplish this, we make available information regarding cosmetic products, ingredients, supplies, their origin and guidance for use, as well as similar products or combinations of such.

Controller (“the Controller”) of your personal data processed by the online store “Zoya Goes Pretty” is “Internet Kafe-BG” LLC, company reg. No.: 130533126, with headquarters and registered address: 22 Aksakov St., 1000 Sofia, Bulgaria

The Data Protection Officer of the Controller will answer all your questions regarding the processing and protection of your personal data and will make the process of exercising your data subject rights easier and more understandable. You will be able to directly contact him / her via email at dpo@zoya.bg

Personal data that we process

We may collect the following information:

1. Data contained in your account/profile that is created for you after entering into an informal contractual obligation with the Controller by accepting the Terms and Conditions on the online store “Zoya Goes Pretty” (the “Terms and Conditions” or “GTC”):

First and last name;
Username (Display name);
E-mail address;
Password.

2. Data stemming from Online orders, initiated by you via informal contractual obligation from a distance with the Controller upon applying the General Terms and Conditions:

First and last name of the person to be delivered;
Delivery address – country, city, postcode, address;
Phone number for the purpose of delivery;
Invoice data – names, phone, city, country, postcode, address;
Type of delivery;
Method of payment;
Order number;
Payment amount;
Payment status;
Status of delivery.

II. We process the following data based on your consent expressed through a deliberate action – entering of am optional set data and / or free choice of specific options:

1. Contact Data and data contained in a sent message, provided by completing the contact form of the online store “Zoya Goes Pretty” or by sending us an email, conventional mail, telegram, fax, telephone call, sending SMS and other forms of communication:

First and last name;
E-mail address;
Phone number;
Fax number;
Address;
Website;
Content of the message.

2. Data stemming from Online orders:

Order History.

You may withdraw any of the aforementioned consents through your account settings or the form and manner prescribed in this Policy. Upon withdrawal of consent, the processing of the relevant personal data for the stated purposes is discontinued. Withdrawal of consent does not affect the lawfulness of consent-based processing prior to its withdrawal.

III. We process the following data for compliance with legal obligations in accordance with the local and EU legislature:

1. Data contained in your account/profile:

First and last name;
Username (Display name);
E-mail address.

2. Data stemming from Online orders:

Delivery address – country, city, postcode, address;
Telephone for delivery;
Invoice data – names, phone, city, country, postcode, address;
Type of delivery;
Method of payment;
Order number;
Payment amount;
Status and payment history;
Status and delivery history;
Order History.

IV. We process the following data on the basis of legitimate interest :

1. Data contained in your account/profile:

First and last name;
Username (Display name);
E-mail address.

2. Data stemming from Online orders:

Delivery address – country, city, postcode, address;
Phone number for the purpose of delivery;
Invoice data – names, phone, city, country, postcode, address;
Type of delivery;
Method of payment;
Order number;
Payment amount;
Status and payment history;
Status and delivery history;
Order History.

Purposes of the processing of personal data

1. The data contained in your account/profile is being processed for the purposes of:

Accountability of the Controller by recording legally significant data in electronic protocols – technical logs;
Delivery of ordered products;
Provision of support for technical malfunctions, providing customers with information via our call center, responding to complaints, tracking supplies, payments and more;
Verifying your account data by sending an email to ensure the security of access or for resetting your password;
Authentication when signing in to your account;
Sending messages via email and/or push notifications for purposes of direct marketing only with your explicit consent;
Complying with legal rulings, judgments, orders and decisions of state authorities and administrative supervisors. This includes using your personal data to collect and verify accounting data and comply with the accounting rules.

2. The data stemming from Online orders is being processed for the purposes of:

Delivery of ordered products;
Provision of support for technical malfunctions, providing customers with information via our call center, responding to complaints, tracking supplies, payments and more;
Preventing and investigating abuse of online orders and related supplies, as well as losses and fraud;
Complying with legal rulings, judgments, orders and decisions of state authorities and administrative supervisors. This includes using your personal data to collect and verify accounting data and comply with the accounting rules;
Statistical Analysis of the information obtained after anonymization of your data.

3. The contact data and the data contained in a sent message is being processed for the purposes of:

Identify you as sender / author of a message or a posted comment;
Establishing communication with you;

Third parties with access to your personal information for the fulfillment of their duties

1. We use the following service providers for cloud services, hosting, reverse proxy, CDN, servers / clusters and collocation:

NS 1 Ltd., with company reg. No.: 175018740 – provides hosting for the online store “Zoya Goes Pretty”, by using the services of the subcontractor “TELEPOINT” Ltd., with UIC: 175424163. You can read their privacy policy at the following address: https://www.ns1.bg/privacy.php;
TELEPOINT Ltd., with company reg. No.: 175424163 – carries out colocation of backup servers used for the online store “Zoya Goes Pretty” and also subcontractor of NS 1 Ltd., by means of their data center in Sofia at 122 Ovche Pole Str. You can read their privacy policy at the following address: https://telepoint.bg/files/Politika_za_poveritelnost_clients_BG.pdf;
Cloudflare, Inc., Headquartered in San Francisco, California, USA – provides reverse proxy, DNS and CDN (content delivery network). Cloudflare, Inc. participates in the Privacy Shield program and has a valid compliance certificate, which can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000GnZKAA0&status=Active#privacy-policy-1. Their privacy policy is available at https://www.cloudflare.com/security-policy/.

2. Consultants and suppliers in different spheres for the purposes of protecting our legitimate interests in maintaining and improving the quality of the services we provide to you, to meet legal requirements, to protect legal rights and interests in judicial, pre-trial and administrative proceedings. We use the following entities on regular bases:

GENSOFT LLC, with company reg. No.: 121497880 – provides licensed specialized software for warehousing, implemented in the Controller’s workflow. More about them can be found on their website: http://gensoft.bg/
DIGITAL FORMAT LLC, with company reg. No.: 131388712 – provides consultancy services concerning information, advices and technical support for the used by us equipment;
Delivery companies we use for supplying products: Econt, Speedy, Rapido, Aramex, DHL and TNT.

3. State authorities and institutions in connection with inquiries carried out by them in accordance with legal requirements and restrictions;

In regards to the usage of private entities, we require and enforce these third parties to apply all adequate technical and organizational measures in order to protect your data.

Your personal data is processed for the following time periods

1. Data provided on a contractual basis:

Account/profile data – up to 5 years from the date of the last online order; in the absence of an order – until the account/profile is deleted through the online store’s functionality or 5 years from the date of your last login, whichever happens first; Account/profile data is related to and defining for the online order data, which determines the application of the term set in relation to the online order data. In the absence of an order you still have the legal expectation to be permitted to use those services for the full remainder of the 5 year term based on the informal contract you have as a user and therefore we provide you, as a remedy for this situation, with the option at any time to delete your account before the end of the five-year term;
Online order data – up to 5 years from the date of any given order. The term is determined on the basis of the limitation period for repayment of the receivables.

2. Data on the collection and verification of accounting data and accounting compliance – accounting records and financial statements, including tax audit, audit and subsequent financial inspection documents, shall be kept for 10 years from 1st of January of the reporting period following the reporting period to which they refer; all other holders of accounting information – three years from 1st of January of the reporting period following the reporting period to which they refer;

3. Data provided on the basis of consent – until the withdrawal, as provided, including through the functionality of the online store or the blog or by deletion or until the expiration of 5 years from the date of your last login, whichever happens first;

Once this deadline has expired, the data is deleted and cannot be recovered or used anymore. The data shall not be deleted but will continue to be processed only for the purpose of protecting our legitimate rights and legitimate interests or in the fulfillment of our legal obligations, if at the date of expiration of that period, there is a pending legal, administrative and pre-trial proceedings or a misconduct, admitted or brought to our knowledge, complaints and potential violations – until their completion.

Your rights in relation to your personal data

1. Right of access, including the right to copy the data under processing:

You have the right to request information about the personal data we hold on you at any time. You may contact us and, based on a written request and authentication of your identity, the data will be provided to you;

2. Right to rectification:

You have the right to request rectification of your personal data if the information is incorrect, including the right to have incomplete personal data completed. You can do so through your account/profile or by writing to us, after duly authenticating your identity;

3. Right to erasure (“Right to be forgotten”) in the following cases:

The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
Withdrawal of consent when processing is based on consent;
Illegal data processing;
Legal obligation to delete;

The right to be forgotten is not an absolute right and may not be granted in the cases provided for by the law or due to a lack of proper authentication of your identity.

4. Right to restriction when:

You object to a processing based on Controller’s legitimate interest, the Controller shall restrict all processing of such data pending the verification of the legitimate interest.; or
You have claim that your personal data is incorrect, the Controller must restrict all processing of such data pending the verification of the accuracy of the personal data.; or
The processing is unlawful you can oppose the erasure of personal data and instead request the restriction of the use of your personal data instead; or
If the Controller no longer needs the personal data but it is required by you to defend legal claims.

In the case of rectification, erasure or restriction of processing, we will inform any recipient to whom personal data have been disclosed, unless this is impossible or involves a disproportionate effort.

5. The portability of machine-readable data, according to which we will:

Provide the data directly to you; or
If requested by you and technical possibility, the data is provided to another controller of your choice;

6. Right to object to processing based on a legitimate interest:

You may object to the processing of your personal data based on the legitimate interest of the Controller or a third party. The Controller will not continue to process your personal data unless it is proven that there are compelling legal bases that have priority over your interests and rights or due to litigation and other procedural and extra-procedural actions.

7. Right to object to direct marketing:

You have the right to object to the receipt of marketing communications, including profiling and analysis for direct marketing purposes.

8. Right to complain with a supervisory authority in the Member State of habitual residence, place of work or place of suspected violation if you consider that the processing of your personal data is in breach of the provisions of Regulation (EC) 2016/679. On the territory of the Republic of Bulgaria, where the Controller’s headquarter is located, the supervisory authority is the Personal Data Protection Commission.

The aforementioned rights shall be exercised by written request in the form determined by the Administrator, which you can get at the seat of the Controller or electronically upon request to the Data Protection Officer of the Controller and filling the received in response electronic form by applying the necessary documents. If you have a registration at the online store “Zoya Goes Pretty”, you can use the automatic data subject rights form located at your account/profile.

You will receive an answer to your request within one month of receipt of your written request.

Methods used for automated making of individual solutions, including profiling

We do not use automated algorithms and / or profiling.

On “Cookie” usage

Regarding the data contained in the cookies used on the online store “Zoya Goes Pretty”, you can read about in our Cookie Policy.