Privacy Policy

General Terms and Conditions

„Heliantheae” Ltd. (hereinafter referred to as “Controller” or “the Company”) carries out its activities in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This information aims to inform you about all aspects of the processing of your personal data by the Company and the rights you have in connection with this processing.

Grounds for collecting, processing and storing your personal data

Art. 1. The controller collects and processes your personal data in connection with the use of website www.heliantheae.bg and conclusion of contracts with the company on the basis of Art. 6, para. 1, Regulation (EU) 2016/679 (GDPR), and in particular on the following basis:

• Explicit consent received by you as a customer;
• Fulfillment of the Administrator’s obligations under a contract with you;
• For the purposes of the legitimate interests of the Administrator or of a third party;
• Explicit consent received by you as a customer;

Objectives and principles for the collection, processing and storage of your personal data

Art. 2. (1) We collect and process the personal data that you provide to us in connection with the use of website www.heliantheae.bg and conclusion of a contract with the Company, including for the following purposes:

• creating an account and providing full functionality when using the online store;
• individualization of a party to the contract;
• accounting purposes;
• statistical purposes;
• protection of information security;
• ensuring the performance of the contract for the provision of the service concerned;
• sending a newsletter and emails with special offers if you wish;

(2) We comply with the following principles when processing your personal data:

• legality, good faith and transparency;
• restriction of processing purposes;
• accountability with the purposes of processing and minimizing the data collected;
• accuracy and timeliness of the data;
• restriction of storage in order to achieve the objectives;
• integrity and confidentiality of the processing and ensuring an appropriate level of security of personal data.

(3) In the processing and storage of personal data, the Controller may process and store the personal data in order to protect its following legitimate interests:

– fulfillment of its obligations to the National Revenue Agency, the Ministry of Interior and other state and municipal authorities.

What types of personal data does our company collect, process and store

Art. 3. (1) The Company performs the following operations with the personal data provided by you as customers for the following purposes:

– Registration of a customer in the e-shop and performance of a distance purchase and sale contract – the purpose of this operation is to create an account for the use of the e-shop for the purchase of goods and the provision of contact details for the purpose of carrying out the delivery of purchased goods. Registering and creating an account to use the online store are not mandatory steps from the provision of our service, but the latter available without creating a personal account. The “User Registration” operation is considered admissible and provides sufficient guarantees to protect the rights and legitimate interests of data subjects in accordance with GDPR requirements;
– Send a newsletter – The purpose of this operation is to administer the process of sending newsletters, emails with special offers, promotions, promo codes, news and new functionalities to customers who have stated that they wish to receive them.
– Exercise right of refusal or making a claim – the purpose of this operation is to administer the process of exercising the customer’s right of withdrawal or claim for the goods in respect of which those rights may be exercised.

(2) The controller does not collect or process personal data that relate to the following:

• racial or ethnic origin;
• political, religious or philosophical beliefs or trade union membership;
• genetic and biometric data, health data or data on sexual life or sexual orientation.

(3) The personal data have been collected by the Controller from the persons to whom they relate.

(4) The controller does not have an automated data collection process.

(5) The Company does not collect data on persons under 16 years of age, except with the express consent of their parent or legal representative.

Art. 4. (1) The controller processes the following categories of personal data and information for the following purposes and on the following grounds:

– Your distinctive data (e-mail, name, etc.)

– Purpose for which the data are collected: 1) Contact the user about sending the goods or services he ordered, 2) for the purposes of registering a user in the online store, as well as 3) to send a newsletter, emails with special offers, promotions, promo codes, news and new functionalities.
– Grounds for processing your personal data – By accepting the general terms and conditions and registering in the e-shop or placing an order without registration, or upon conclusion of a written contract, a contractual relationship is created between the Controller and you, which is grounds for processing your personal data – Art. 6, para. 1, b. (b) GDPR. Your data for sending a newsletter and emails is processed at your explicit consent – Art. 6, para. 1, b. (a) GDPR.

– Delivery data (name, telephone, address, etc.)
– Purpose for which the data are collected: Fulfillment of obligations of the administrator under a contract for purchase and sale and delivery of the purchased goods.
– Grounds for processing your personal data – By accepting the general terms and conditions and registering in the e-shop or placing an order without registration, or upon conclusion of a written contract, a contractual relationship is created between the Controller and you on which we process your personal data – Art. 6, para. 1, b. (b) GDPR.
– Purpose for which the data are collected: 1) Contact the user and send information to the user and (2) for the purposes of registering a user in the online store.
– Grounds for processing your personal data – By accepting the general terms and conditions and registering in the e-shop through a social network account, a contractual relationship is created between the Controller and you on which we process your personal data – Art. 6, para. 1, b. (b) GDPR.
– Data from your social media accounts (publicly available information from your Twitter, Facebook and other accounts)

Shelf life of your personal data

Art. 5. (1) The controller stores your personal data for no longer than the existence of your online store account or placing the order “as a guest”. After deleting your account or completing the order, the Administrator takes the necessary care to delete and destroy all your data without undue delay or to anonymize them (i.e. to bring them into a form that does not reveal your personality).

(2) The Controller stores your personal data provided in connection with online orders made for a period of 5 years for the purpose of protecting the legal interests of the Controller in legal or administrative disputes with users of the online store, and the accounting documents are kept for the respective statutory period.

(3) The Controller shall notify you in case the data retention period is necessary to be extended in order to fulfil a legal obligation or in view of the legitimate interests of the Controller or otherwise.

(4) The controller stores the personal data that he/she needs to keep under the applicable legislation for the relevant period of time, which may exceed the duration of your e-shop account or until the order is completed.

Art. 6. (1) The Controller stores the personal data of the legal representatives of his trading partners for the duration of the contract, for compliance with the legitimate interests and legal obligations of the Administrator, and this period may exceed the term of the concluded contract.

Transfer of your personal data for processing

Art. 7. (1) The Controller may, at its sole discretion, transfer some or all of your personal data to processors for the performance of the processing purposes with which you have agreed, subject to the requirements of Regulation (EU) 2016/679 (GDPR).

(2) The Controller notifies you in case of intention to transfer some or all of your personal data to third countries or international organizations.

Your rights in the collection, processing and storage of your personal data

Withdrawal of consent to the processing of your personal data

Art. 8. (1) If you do not wish all or part of your personal data to continue to be processed by the Company for specific or all processing purposes, you may at any time withdraw your consent to processing by completing a “Form of Withdrawal of Consent for Processing Purposes” or by a free text request.

(2) The controller may request that you verify your identity and identity with the person to which the data relate.

(3) By withdrawing consent to the processing of personal data that is mandatory for creating and maintaining an online store account, your account will become inactive. Of course, you will be able to browse the online store and offered products and place orders as a guest or make a new registration.

(4) If there is an order you have placed that is under processing, the earliest time you can withdraw your consent to processing is up to two working days after the successful completion of the order.

(5) You may at any time withdraw your consent to the processing of your personal data for direct marketing purposes.

(6) The withdrawal of consent does not affect the lawfulness of the processing of personal data that the Controller has carried out so far.

Right of access

Art. 9. (1) You have the right to request and receive from the Controller confirmation whether personal data relating to you are being processed, and you can view in your account at any time, if you are a registered user, the data we process about you.

(2) You have the right to access the data relating to you as well as the information relating to the collection, processing and storage of your personal data.

(3) The Controller shall provide you, upon request, with a copy of the personal data processed relating to you in electronic or other appropriate form.

(4) The provision of access to the data is free of charge, but the Administrator reserves the right to impose an administrative fee in case of repeated or excessive requests.

Right to rectification or replenishment

Art. 10. You may correct or fill in inaccurate or incomplete personal data relating to you directly through your website account or by requesting it to the Controller.

Right to erasure

Art. 11. (1) You have the right to request from the Controller the erasure of some or all of the personal data related to you, and the Controller has the obligation to delete them without undue delay when there are any of the following grounds:

• personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
• You withdraw your consent on which the processing of the data is based and there is no other legal basis for the processing;
• You object to the processing of personal data relating to you, including for direct marketing purposes, and there are no legitimate grounds for the processing that prevail;
• personal data have been processed unlawfully;
• personal data must be deleted in order to comply with a legal obligation under EU or Member State law that applies to the Controller;
• personal data have been collected in connection with the provision of information society services.

(2) The controller is not obliged to delete the personal data if it stores and processes them:

• the exercise of the right to freedom of expression and information;
• to comply with a legal obligation requiring processing provided for in EU law or the law of the Member State applicable to the Controller or to the performance of a task in the public interest or in the exercise of official powers conferred on him;
• for reasons of public interest in the field of public health;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
• the establishment, exercise or defense of legal claims.

(3) In case of exercise of your right to be forgotten, the Company will delete all your data except the following information:

• information needed to verify that your right to be forgotten has been fulfilled – email, IP address;
• technical information about the functioning of the online store, which information cannot be contacted in any way with your personality;

(4) To exercise your right to be forgotten, you need to take the following steps:

• Submit an application by sending a completed “Request to be forgotten”;
• Legitimize as an account holder;

(5) Once we have verified the identity of the person making the request and the person to whom the data relate in accordance with the steps set out above, we will delete all data we process about you in accordance with paragraph 1. 3.

(6) If there is an order made by you that is under processing, the earliest time you can request to be “forgotten” is up to two working days after the successful completion of the order.

(7) By deleting your personal data, your account will become inactive. Of course, you will be able to browse the online store and offered products and place orders as a guest or make a new registration.

(8) The Controller does not delete the data that he has a legal obligation to store, including for protection against legal claims made against him or proof of his rights.

Right to restriction

Art. 12. You have the right to require the Controller to restrict the processing of the data relating to you when:

• dispute the accuracy of the personal data for a period that allows the Controller to verify the accuracy of the personal data;
• processing is unlawful, but you do not want the personal data to be deleted, only to limit their use;
• The controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or protection of your legal claims;
• You have objected to the processing pending verification that the legitimate grounds of the Controller take precedence over your interests.

(2) In case of exercise of your right to restriction, the Company will suspend the processing of your data, but will not remove the entered data that you have entered in the online store.

Right to portability

Art. 13. (1) If you have given consent to the processing of your personal data or the processing is necessary for the performance of the contract with the Controller, or if your data is processed in an automated manner, you can, after you have legitimized yourself before the Controller:

• to ask the Controller to provide you with your personal data in a readable format and transfer it to another Controller;
• ask the Controller to directly transfer your personal data to an administrator designated by you, where technically feasible.

(2) You may at any time download or receive in machine-readable format the data that is stored and processed for you in connection with the use of the Services of the Administrator by email request.

Right to receive information

Art. 14. You may ask the Controller to inform you about all recipients to whom the personal data for which rectification, erasure or restriction of processing has been requested have been disclosed. The administrator may refuse to provide this information if this would be impossible or require disproportionate effort.

Right to object

Art. 15. You may object at any time to the processing of personal data by the Controller that relates to him or her, including if processed for profiling or direct marketing purposes.

Your rights in case of a breach of the security of your personal data

Art. 16. (1) If the Controller finds a breach of the security of your personal data that may pose a high risk to your rights and freedoms, the Controller shall notify you without undue delay of the breach and of the measures taken or to be taken.

(2) The administrator is not obliged to notify you if:

• has taken appropriate technical and organizational protection measures in respect of data affected by the security breach;
• has subsequently taken measures to ensure that the infringement does not result in a high risk to your rights;
• notification would require disproportionate efforts.

Persons to whom your personal data is provided

Art. 17. For the purposes of processing your personal data and providing the service in its full functionality and in view of your interests, the Controller may provide your data to the following processors:

Processor of personal data	Purpose of the processing of personal data
Supplier / Courier Company	Making a delivery to an address

These processors comply with all legality and security requirements for the processing and storage of your personal data.

Art. 18. The controller does not transfer your data to third countries.

Art. 19. In case of violation of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Commission for Personal Data Protection as follows:

Name	Commission for Personal Data Protection
Registered office and address of management	2 „Prof. Tzvetan Lazarov” Blvd., Sofia, 1592
Correspondence Address	2 „Prof. Tzvetan Lazarov” Blvd., Sofia, 1592
Phone	+359 (2) 915 3518
Website	www.cpdp.bg

Art. 20. You can exercise all your rights regarding the protection of your personal data through the forms attached to this information or through the functionalities in your profile. Of course, these forms are optional and you can make your requests in any form that contains a statement of this and identifies you as the data holder.

Art. 21. If the consent relates to transfer, the Administrator describes the possible risks for the transfer of the data to third countries in the absence of a decision on adequate protection and appropriate remedies.

Art. 22. The Company may amend the Privacy Policy by posting a notice on its website.

Art. 23. The administrator does not own its own servers to store your data. The agreed relationship with the Administrator on this matter requires the submission of a “Privacy Policy” and the company that serves the Controller and physically owns the servers on which your personal data is located.

• Privacy Policy of SuperHosting.bg Ltd.
• Electronic signature accompanying the above declaration

Forms for exercising your rights in relation to your personal data:

1. Form of withdrawal of consent for processing purposes – Appendix No 1
2. Request to be forgotten – for erasure of personal data relating to me – Appendix No 2
3. Request for portability of personal data – Appendix No 3
4. Request for correction of data – Appendix No 4

“Heliantheae” Ltd. uses the web hosting services of “SuperHosting.bg” Ltd.

Here you can read their protection of the personal data of all clients of the company.