PRIVACY POLICY
PRIVACY POLICY
- INTRODUCTION
Welcome to https://
BY USING THIS WEBSITE, YOU CONSENT TO THE TERMS REGARDING THE COLLECTION, USE AND DISCLOSURE OF YOUR PERSONAL INFORMATION IN ACCORDANCE WITH THIS PRIVACY POLICY.
PLEASE READ THIS PRIVACY POLICY CAREFULLY BEFORE USING THIS WEBSITE AND IF YOU HAVE ANY QUESTIONS REGARDING THIS PRIVACY POLICY, PLEASE CONTACT US.
IF YOU DO NOT AGREE WITH ANY OF THE TERMS CONTAINED IN THIS PRIVACY POLICY, YOU SHOULD NOT USE THIS WEBSITE.
ADMINISTRATOR OF PERSONAL DATA
"Shuga Company" EOOD (hereinafter referred to as "Administrator") is a limited liability company, with EIC: 204803945, with headquarters and management address: Sofia, p.k. 1137, ul. Amarant 1 e-mail address and website:
SUPERVISORY AUTHORITY:
Commission for the Protection of Personal Data
Address: Sofia, p.k. 1592, Prof. Blvd. Tsvetan Lazarov" 2
Contact details: 02/915 35 18; 02/915 35 15; 02/915 35 19; kzld@cpdp.bg , www.cpdp.bg
- PURPOSES AND SCOPE OF THE PRIVACY POLICY
1.1 The administrator understands the considerations of the visitors of this website regarding the protection of personal data and is committed to protecting their personal data by applying all standards for the protection of personal data according to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 year on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC. With this Privacy Policy, the Administrator respects the inviolability of the personality of natural persons and makes all necessary efforts to protect the personal data of natural persons against unlawful processing through the application of technical and organizational measures to protect personal data, which measures are fully in line with modern technological achievements and provide a level of protection that corresponds to the risks associated with the processing and the nature of the data to be protected.
1.2 With this Privacy Policy and in compliance with the requirements of Regulation (EU) 2016/679, the Administrator provides information regarding:
– the purposes and scope of the privacy policy;
– personal data collected and processed by the Administrator;
- the purposes of personal data processing;
- period of storage of personal data;
- mandatory and voluntary nature of providing personal data;
– processing of personal data;
– protection of personal data;
– the recipients or categories of recipients to whom the data may be disclosed;
– rights of natural persons;
– order for exercising the rights;
– right to object;
– buttons, tools and content from other companies;
– changes to the privacy policy.
III. DEFINITIONS
2.1 In the sense of Regulation (EU) 2016/679 and this policy, the specified terms have the following meaning:
- Personal Data means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier or by one or more characteristics specific to the physical, the physiological, genetic, psychic, mental, economic, cultural or social identity of that natural person.
- Processing of personal data means any operation or set of operations performed on personal data or a set of personal data by automatic or other means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission , distribution or other way in which the data is made available, arranged or combined, restricted, deleted or destroyed.
- Restriction of processing means marking stored personal data in order to limit their processing in the future.
- Profiling means any form of automated processing of personal data, consisting in the use of personal data to assess certain personal aspects related to a natural person, and more specifically to analyze or predict aspects related to the performance of professional duties of that an individual, their economic status, health, personal preferences, interests, reliability, behavior, location or movement.
- Administrator means a natural or legal person, public body, agency or other structure that alone or jointly with others determines the purposes and means of processing personal data; where the purposes and means of this processing are determined by Union law or the law of a Member State, the controller or the special criteria for its determination may be established in Union law or in the law of a Member State.
- Personal data processor means a natural or legal person, public body, agency or other structure that processes personal data on behalf of the controller.
- Recipient means a natural or legal person, public body, agency or other structure to which personal data is disclosed, whether or not it is a third party. At the same time, public authorities that may receive personal data within the framework of a specific investigation in accordance with Union law or the law of a Member State are not considered "recipients"; the processing of this data by the specified public authorities complies with the applicable data protection rules in accordance with the purposes of the processing.
- Third party means a natural or legal person, public body, agency or other body other than the data subject, the controller, the personal data processor and the persons who, under the direct supervision of the controller or the personal data processor, have the right to process the personal data.
- Consent of the data subject means any freely expressed, specific, informed and unequivocal indication of the will of the data subject, by means of a statement or a clear affirmative action, which expresses his consent to the personal data relating to him being processed.
- Personal data breach means a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data that is transmitted, stored or otherwise processed.
- PRINCIPLES OF PERSONAL DATA PROCESSING
3.1 The administrator follows the following principles when processing personal data for natural persons, namely:
- Personal data is processed lawfully, in good faith and in a transparent manner with respect to the data subject ("lawfulness, good faith and transparency");
- Personal data are collected for specific, explicitly stated and legitimate purposes and are not further processed in a manner incompatible with these purposes;
- Personal data is relevant, relevant and limited to what is necessary in relation to the purposes for which it is processed ("data minimization");
- Personal data are accurate and, if necessary, kept up-to-date ("accuracy");
- Personal data is stored in a form that allows the identification of the data subject for a period no longer than is necessary for the purposes for which the personal data is processed ("storage limitation");
- Personal data are processed in a way that ensures an appropriate level of personal data security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures ("integrity and confidentiality").
- PERSONAL DATA COLLECTED AND PROCESSED BY THE ADMINISTRATOR
A. Processing of special categories of personal data ("sensitive data")
4.1 The administrator does not collect or process special categories of personal data, such as: personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs or membership in trade unions, genetic data, biometric data for the sole purpose of identifying a natural person , data on the state of health or data on the sex life or sexual orientation of the natural person. Individuals should not provide such sensitive data to the Administrator. In the event that the natural person intentionally provides sensitive data to the Administrator, the Administrator undertakes to delete them immediately.
B. Personal data collected directly from individuals
Personal data collected directly from individuals when individuals post a comment on the website
5.1 Individuals provide personal data to the Administrator when they wish to post a comment on the website by filling in a form specially provided for this. When the individual fills out the form to post a comment, the Administrator collects and processes the individual's name and e-mail address as well as other information that the individual provides in the sent message. This data is processed for record keeping purposes. The processing of this personal data is necessary:
- to realize the legitimate interests of the Administrator, which legitimate interests are the publication of the received comments on the website.
Personal data collected directly from individuals when individuals contact the Administrator by e-mail
5.2 Individuals provide personal data to the Administrator when they contact the Administrator by e-mail. The Administrator's e-mail address is indicated in the Administrator's identification data in this Privacy Policy and on the website's title page in the "Contacts" section, where the Administrator's contact information is provided. When the person sends an e-mail to the Administrator, the Administrator collects and processes the e-mail address, as well as the other information that the person provides in the sent e-mail, such as name, phone number, address. This data is processed for the purposes of communication with the individual and record keeping. The processing of this personal data is necessary:
- to realize the legitimate interests of the Administrator, which legitimate interests are sending a response to the received messages, as well as saving the received messages.
– for actions preceding the conclusion of a contract and undertaken at the individual's request, namely providing more information about the services offered by the Administrator in connection with the possible conclusion of a contract with the individual.
The administrator uses the services of an e-mail service provider to store the received e-mails on the provider's server, which server is located in the Republic of Bulgaria.
Personal data collected directly from individuals when individuals contact the Administrator by sending a message using the Instagram platform
5.3 Individuals provide personal data to the Administrator when they contact the Administrator by sending a message using the Instagram platform through the Instagram messaging service accessible through the Administrator's Instagram page. When the person sends a message to the Administrator by using the Instagram platform through the Instagram messaging service, accessible through the Administrator's Instagram page at: https://www.instagram.com/sugabuba.official/?utm_source=ig_profile_share&igshid=1lzdx8d8ewua6 . The Administrator collects and processes the name of the natural person as well as the other information that the person provides in the sent message. This data is processed for the purposes of communication with the individual. The processing of these personal data is necessary to realize the legitimate interests of the Administrator, which legitimate interests are sending a reply to the received messages, as well as saving the received messages. The administrator uses the services of Instagram, an independent service provider located in the USA, to receive messages through the Instagram platform. This means that the personal data provided will be stored on Instagram's servers in the US. For the transfer of these personal data outside the European Economic Area, appropriate guarantees should be provided in accordance with Article 46 of Regulation (EU) 2016/679, as provided by Instagram and detailed in its Privacy Policy. Instagram's privacy policy is posted at the following address: https://help.instagram.com/519522125107875
Personal data collected directly from individuals when individuals register on the website
5.4 Individuals provide personal data to the Administrator when they register on the Administrator's website. When registering, the natural person provides the following personal data, which the Administrator collects and processes, namely: name and surname of the natural person, e-mail address, telephone and address. The collection and processing of this personal data is necessary: - to realize the legitimate interests of the Administrator, which legitimate interests are providing the individual with the opportunity to maintain a registered profile on the Administrator's website in order to purchase goods desired by the individual; - with a view to concluding or executing a contract for the purchase of goods. The data of individuals are stored on the server of a hosting service provider, which provider is registered in the Republic of Bulgaria.
Personal data collected directly from individuals when individuals purchase a product
5.5 Individuals provide personal data to the Administrator when they purchase a product from the Administrator's website. When purchasing goods from the Administrator's website, the natural person provides the following personal data, which the Administrator collects and processes, namely: name and surname of the natural person, e-mail address, telephone and address. The collection and processing of this personal data is necessary: - with a view to concluding or executing a contract for the purchase of goods; - to fulfill legal obligations for the purposes of issuing invoices. The data of individuals are stored on the server of a hosting service provider, which provider is registered in the Republic of Bulgaria.
C. Personal data of individuals provided by third parties
6.1 The administrator normally does not receive personal data about individuals from third parties. However, in some cases, if the Administrator has reasonable grounds to suspect that a natural person is infringing intellectual property rights and other similar cases, then the Administrator has the right to obtain personal data of the suspected person from public records, such as: register, the register for registered trademarks maintained by the Patent Office of the Republic of Bulgaria and similar. This data may be collected and processed for the purpose of filing an infringement claim against the infringer. The processing of personal data collected from a public register is necessary for the purposes of the legitimate interests of the Administrator, which legitimate interests are the filing of a claim for a committed violation against the offender, and also on legal grounds.
D. Data Collected Automatically
7.1 When visiting the website, the Administrator automatically collects the following data, namely:
- Internet Protocol (IP) address of the device from which the individual accesses the Platform (usually used to identify the country or city from which the individual accesses the Platform);
- Type of device from which the natural person accesses the platform (for example, computer, mobile phone, tablet, etc.);
- Type of operating system;
- Browser type;
- The specific actions that the individual takes, including the pages visited, the frequency and duration of website visits;
- Date and time of visits.
- PURPOSES FOR WHICH PERSONAL DATA IS PROCESSED
8.1 The administrator collects and processes the personal data of the natural persons, which are provided directly by them only for the following purposes, namely:
- in order to provide services that the Administrator offers, namely the sale of goods and identification of natural persons (future and current customers);
- to make contact with the individual via e-mail, so that the Administrator can respond to the inquiry received by the individual;
- for the performance of obligations under a contract to which the natural person to whom the data refer is a party, as well as for actions preceding the conclusion of a contract and undertaken at his request;
- to fulfill a legally established obligation of the Personal Data Administrator, in accordance with the applicable law;
- to send the goods purchased by the individual;
- accounting purposes;
- statistical purposes.
8.2 The administrator collects and processes the personal data of natural persons, which have been collected automatically for the following purposes, namely:
– improving the efficiency and functionality of the website;
- preparation of anonymous statistical data on the way the website has been used.
8.3 The administrator has no right to use the personal data of individuals for purposes other than the purposes specified in this section of this Personal Data Protection Policy.
VII. STORAGE PERIOD OF PERSONAL DATA
9.1 Inquiries and correspondence by e-mail, Facebook: The administrator stores the personal data and messages received by e-mail and Facebook for a period necessary to respond to the message received and to satisfy the request of the individual, as well as for a period of one year after The administrator has responded to the received message.
9.2 Personal data of persons who have purchased goods: The Administrator stores the personal data of persons who have purchased goods from the Administrator for a period of ten years, which period is the legally established term for storing customer invoices.
B. Criteria for determining the period for which personal data will be stored
9.3 In other cases not specified above, the Administrator will store the personal data of the natural person for no longer than necessary, taking into account the following criteria, namely: - whether the Administrator undertakes to comply with a legal obligation to continue the processing of the personal data of the natural person; - the purpose of storing the personal data both now and in the future; - whether a contract has been concluded between the Administrator and the natural person and the Administrator is obliged to continue processing personal data in order to fulfill the obligations under the contract; - purposes for using personal data now and in the future; - whether it is necessary to make contact with the natural person in the future; - whether the Administrator has a legal basis to continue processing the personal data of the individual; - any other legitimate reasons, such as the nature of the relationship with the natural person.
VIII. MANDATORY AND VOLUNTARY NATURE OF PROVIDING PERSONAL DATA
10.1 The personal data that are required to be provided by individuals are in accordance with the services offered by the Administrator and are mandatory. The provision of personal data by individuals is voluntary. In case the provision of personal data is refused:
- The administrator will not be able to deliver the goods desired by the individual;
- The natural person will not be able to create his user profile on the site.
- PROCESSING OF PERSONAL DATA
11.1 The administrator processes the personal data of natural persons through a set of actions that can be performed by automatic or non-automatic means.
11.2 The Administrator processes the personal data of natural persons independently or by assigning a data processor on behalf of the Administrator, who is the accountant of the company, which is based in the Republic of Bulgaria.
- PROTECTION OF PERSONAL DATA
12.1 The administrator takes the necessary technical and organizational measures to protect personal data from accidental or illegal destruction, or from accidental loss, from unauthorized access, modification or distribution, as well as from other illegal forms of processing, namely:
– all personal information that the individual provides to the Administrator is stored on secure and reliable servers and folders;
– when exercising the right of access by the individual, the Administrator verifies the identity of the individual before providing him with the requested information.
12.2 In case you wish to receive detailed information about the technical and organizational measures, please do not hesitate to contact us.
- RECIPIENTS TO WHOM PERSONAL DATA MAY BE DISCLOSED
13.1 The administrator has the right to disclose the processed personal data to the following categories of persons, namely:
- of the natural persons to whom the data refer;
- to individuals, if it is provided for in a regulatory act, for example state bodies (NAS, Patent Office, Commercial Register, etc.);
- to persons processing personal data who provide services for the benefit of the Provider's business activities, such as the Administrator's accountant, and such persons are bound by an obligation to observe confidentiality, and also such persons have provided sufficient guarantees for the application of appropriate technical and organizational measures in such a way that the processing takes place in accordance with the requirements of the Regulation and ensures the protection of the rights of natural persons.
13.2 The administrator does not sell personal data provided by the individual to third parties.
XII. RIGHTS OF NATURAL PERSONS
RIGHTS OF NATURAL PERSONS
Right of access
14.1 The natural person has the right to obtain from the Administrator a confirmation as to whether personal data related to him/her are being processed and, if so, to access the data – the relevant categories of personal data.
Right to rectification
14.2 The individual has the right to request the Administrator to correct inaccurate personal data relating to him without undue delay. Considering the purposes of the processing, the natural person has the right to have incomplete personal data completed, including by adding a declaration.
Right to erasure (right to be forgotten)
14.3 The natural person has the right to request from the Administrator the deletion of the personal data related to him without undue delay, and the Administrator has the obligation to delete the personal data without undue delay when any of the grounds specified in Article 17 of Regulation 2016/679 apply .
Right to restriction of processing
14.4 The natural person has the right to demand from the Administrator a restriction of processing when one of the conditions specified in Article 18 of Regulation 2016/679 applies. When processing is restricted, such data are processed, with the exception of their storage, only with the consent of the individual or for the establishment, exercise or defense of legal claims or for the protection of the rights of another individual or for important reasons of public interest for the Union or a Member State. When the natural person has requested restriction of processing, the Administrator informs him before canceling the restriction of processing.
Right to data portability
14.5 The natural person has the right to receive the personal data concerning him and which he has provided to an administrator in a structured, widely used and machine-readable format, where the processing is based on consent in compliance or a contractual obligation and the processing is carried out in automated way.
Right to object
14.6 The natural person has the right, at any time and on grounds related to his particular situation, to object to the processing of personal data concerning him. Pursuant to Art. 21, paragraph 4 of Regulation 2016/679, the natural person is expressly notified of the existence of the right to object, which is presented in a clear manner and separately from any other information. To fulfill this obligation, more information about the right to object can be found in the section below entitled "Right to object".
Profiling rights
14.7 The natural person has the right not to be subject to a decision based solely on automated processing, including profiling, which gives rise to legal consequences for the data subject or similarly significantly affects him.
Right to be notified of a breach of personal data security
14.8 When the breach of personal data security is likely to create a high risk for the rights and freedoms of individuals, the individual must be notified without undue delay of the breach of personal data security.
Right to judicial and administrative protection
Right to submit a complaint to a supervisory authority
14.9 The natural person has the right to submit a complaint to a supervisory authority, in particular in the Member State of habitual residence, place of work or place of the alleged violation, if the natural person considers that the processing of personal data concerning him violates the provisions of The regulation.
Right to an effective judicial remedy against a supervisory authority
14.10 Every natural and legal person has the right to effective judicial protection against a binding decision of a supervisory authority concerning him. Proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.
Q: Right to an effective legal remedy against a controller or processor of personal data
14.11 Without prejudice to any available administrative or non-judicial remedies, including the right to lodge a complaint with a supervisory authority, an individual has the right to an effective judicial remedy where they consider that their rights under the Regulation have been infringed as a result of processing of his personal data that is not in accordance with the Regulation. Proceedings against an administrator or processor of personal data shall be instituted before the courts of the Member State in which the Administrator or processor of personal data has its place of establishment.
Right to compensation for damages suffered
14.12 Any person who has suffered material or non-material damages as a result of a violation of the Regulation has the right to receive compensation from the Administrator or the processor of personal data for the damages caused. Legal proceedings in connection with the exercise of the right to compensation shall be instituted before the courts of the Member State in which the Administrator or personal data processor has its place of establishment.
XIII. ORDER FOR EXERCISE OF RIGHTS
15.1 Individuals exercise their right to withdraw consent, the right of access, the right to deletion, correction, the right to limit processing, the right to data portability, the right to object and the right to profiling, by submitting a written request to the Administrator ( or by mail to the address indicated in the Administrator's identification above in this privacy policy or by sending an email), which should contain the following information:
- name, address and other identification data of the relevant natural person;
- description of the request;
- signature, date of submission of request and e-mail address.
15.2 The request is made personally by the individual. The administrator files the requests submitted by individuals in a separate register.
15.3 After the natural person exercises his right of access to personal data concerning him, the Administrator verifies the identity of the natural person before responding to the request. This is necessary to minimize the risk of unauthorized data access and identity theft. In the event that the Administrator cannot identify the natural person from the personal data collected, then the Administrator has the right to request a copy of documents that identify the natural person (such as an identity card, driver's license, other documents that contain personal data that may identify the natural person).
15.4 The administrator examines the request and provides the individual with information about the actions taken in relation to the request within two months of receiving the request. If necessary, this period can be extended by another month, taking into account the complexity and number of requests.
15.5 The administrator informs the individual of any such extension within one month of receiving the request, indicating the reasons for the delay. When the individual submits a request by electronic means, if possible, the information shall be provided by electronic means, unless the individual has requested otherwise.
15.6 If the Administrator does not take action on the individual's request, the Administrator shall notify the person without delay and at the latest within one month of receiving the request of the reasons for not taking action and of the possibility of submitting a complaint to a supervisory authority and seeking protection by court order.
15.7 The administrator undertakes to communicate any rectification, deletion or restriction of processing to any recipient to whom the personal data has been disclosed, unless this is impossible or requires a disproportionately large effort. The administrator informs the individual about these recipients if the individual so requests.
XIV. RIGHT OF OBJECTION
16.1 The natural person has the right, at any time and on grounds related to his particular situation, to object to the processing of personal data concerning him. Pursuant to Art. 21, paragraph 4 of Regulation 2016/679, the natural person is expressly notified of the existence of the right to object, which is presented in a clear manner and separately from any other information. To fulfill this obligation, more information about the right to object will be provided in this section of this privacy policy.
16.2 The natural person has the right, at any time and on grounds related to his particular situation, to object to the processing of personal data concerning him, in cases where the processing is necessary for the performance of a task of public interest or in the exercise of official powers that have been granted to the Administrator or the processing is necessary for the purposes of the legitimate interests of the Administrator or a third party, except when the interests or fundamental rights and freedoms of the natural person that require the protection of personal data take precedence over such interests -especially when the individual is a child. The administrator undertakes to stop the processing of personal data, unless he proves that there are convincing legal grounds for the processing that take precedence over the interests, rights and freedoms of the natural person, or for the establishment, exercise or defense of legal claims. Individuals exercise their right to object by submitting a written request to the Administrator by mail at the address specified in the Administrator's identification above in this privacy policy or by sending an email.
16.3 Where personal data are processed for the purposes of direct marketing, the natural person has the right at any time to object to the processing of personal data concerning him for this type of marketing, which includes profiling in so far as it is related to direct marketing. When the natural person objects to processing for the purposes of direct marketing, the processing of personal data for these purposes is terminated. Individuals exercise their right to object by submitting a written request to the Administrator by mail to the address indicated in the Administrator's identification above in this privacy policy or by sending an email indicating that they do not wish to receive advertising communications.
- LINKS, TOOLS AND CONTENT FROM OTHER COMPANIES
17.1 The website contains buttons, tools or content that link to services of other companies, such as buttons "Facebook" button, "Instagram" button, "Twitter" button and "Instagram" button. All sites of such companies that can be accessed through this website are independent and the Administrator does not assume any responsibility for damages and losses resulting from the use of these sites. Individuals use these sites at their own risk and are advised to consult the relevant Privacy Policy of the respective company for more information.
XVI. CHANGES TO PRIVACY POLICY
18.1 This Privacy Policy may be updated at any time in the future. When that happens, the changed policy will be posted on this website with a new "Last Modified" date at the top of this Privacy Policy and will be effective from the date of posting. Therefore, it is recommended that you periodically check this Privacy Policy to ensure that you are aware of any changes. By using the website after the updated Privacy Policy is posted, you will be deemed to agree to the changes.
XVII. CONTACTS
19.1 In case you have any further questions regarding this Privacy Policy, please do not hesitate to contact us on the contact form.