Privacy Policy

Legal Basis for Processing

Under GDPR Article 6, we process your personal data on the following legal bases:

• Contractual necessity — to fulfil orders and provide our services.
• Consent — for marketing emails and non-essential cookies (you may withdraw consent at any time).
• Legitimate interests — to improve our website, prevent fraud, and ensure security.
• Legal obligation — to comply with tax, accounting, and regulatory requirements.

How We Use Your Data

• Process and fulfil your orders, including payment and delivery
• Create and manage your customer account
• Send order confirmations, shipping updates, and delivery notifications
• Provide customer support and respond to inquiries
• Send promotional offers, newsletters, and product recommendations (with consent)
• Personalise your shopping experience and show relevant products
• Analyse website traffic and usage patterns to improve our platform
• Detect, prevent, and investigate fraud or security incidents
• Comply with legal, tax, and regulatory obligations
• Conduct internal research, analytics, and business reporting
• Administer contests, promotions, or surveys

Data Sharing & Third Parties

We do not sell your personal data. We share data only with trusted third parties necessary to operate our services:

• Stripe — payment processing. Stripe acts as an independent data controller. Stripe Privacy Policy
• Speedy / Econt — order fulfilment and delivery within Bulgaria.
• DHL / DPD — international shipping within the EU.
• Google Analytics — website analytics (anonymised IP enabled).
• Hosting providers — cloud infrastructure (Vercel / AWS), data stored within the EU.

All third-party processors are bound by Data Processing Agreements (DPAs) ensuring GDPR compliance.

Data Retention

We retain your personal data only as long as necessary for the purposes described above:

• Account data: for the duration of your account, plus 30 days after deletion request.
• Order history: 7 years for tax and accounting compliance.
• Marketing preferences: until you unsubscribe or withdraw consent.
• Analytics data: 26 months (anonymised after this period).
• Support tickets: 3 years from the date of resolution.

Cookies & Tracking Technologies

Our website uses cookies and similar technologies. When you first visit, a cookie banner allows you to accept or reject non-essential cookies. Essential cookies (required for the site to function) cannot be disabled. You can manage your preferences at any time via your browser settings or our cookie preference centre.

International Data Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). If any transfer outside the EEA is necessary, we ensure adequate safeguards through Standard Contractual Clauses (SCCs) approved by the European Commission, or rely on an adequacy decision.

Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly. Parents or guardians who believe their child has provided us with personal data should contact us immediately.

Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or a prominent notice on our website at least 14 days before taking effect. Continued use of our services after the effective date constitutes acceptance of the updated policy.