Store logo
EN | EUR
Language
EN
BG
Free shipping on orders over €50 | View more

Privacy Policy

PERSONAL DATA SECURITY POLICY FOR NATURAL PERSONS

This document contains the Personal Data Security Policy for Natural Persons ("Policy") and is related to the General Terms and Conditions, but does not form an integral part thereof, as it does not regulate rights and obligations, but rather aims to explain to users what personal data we process, in what manner, for what purpose, and what security measures are in place. It also provides information about the rights that you, our clients and users, have in connection with the processing of personal data by us. Any changes to the Policy will be published here.

Effective from: 01.10.2024

Your privacy is extremely important to us. This security policy discloses what personal data we collect from you through our mutual relationship and how we use that data.

DATA CONTROLLER

"HOME FINISHING" Ltd., UIC 148120124, VAT No. BG 148120124, with registered office and management address at: Varna, Western Industrial Zone, 10 "Perla" St., correspondence address: Varna, Western Industrial Zone, 10 "Perla" St., contact phone: 052 575525, email: orders@homefinishing.bg (hereinafter referred to as "HOME FINISHING", "We", "online store", "Site", "Website", "controller") is a controller of data, including personal data, in respect of information collected or provided while browsing the website www.homefinishing.bg or when making a purchase through it, as well as when browsing or purchasing goods or services through our Facebook page (collectively referred to as "Site", "Website"). This Policy also applies in cases where you, as natural persons (hereinafter "Data Subjects"), voluntarily provide us with personal data electronically (via email), by phone, or through other means, including in person at one of our commercial premises or offices. We also process personal data from inquiries directed to us, as well as for marketing and advertising purposes, profiling, participation in games, promotions and lotteries organized by us, and for any other purposes not prohibited by law. In processing personal data, HOME FINISHING complies with all applicable data protection regulations, including but not limited to Regulation (EU) 2016/679 ("Regulation") and the Personal Data Protection Act, because the security of our customers' personal data is of paramount importance to us. Therefore, this Policy applies in such cases as well.

SCOPE OF THE POLICY

This Policy applies to all our clients — natural persons using our services through orders placed on the Site or expressing interest in them by submitting inquiries (hereinafter "data subjects", "users").

Partners and third parties who work with or for HOME FINISHING, and who have or may have access to personal data, will be expected to read, understand and comply with this policy. No third party may access personal data held by HOME FINISHING without the company having first entered into a data confidentiality agreement that imposes obligations on the third party no less burdensome than those undertaken by HOME FINISHING, and that gives HOME FINISHING the right to audit compliance with those obligations.

This policy applies to all employees/workers (and interested parties) of HOME FINISHING, as well as to external suppliers of products and services with whom HOME FINISHING has concluded contracts. Any violation of the General Regulation will be treated as a breach of labor discipline or, respectively, as non-performance of contracts with partners, and where there is a suspicion that a criminal offense has been committed, the matter will be referred to the relevant state authorities as soon as possible.

For visitors to the Site who do not place orders or submit inquiries, but only browse our website, the Cookie Policy accepted and published on the Site applies.

DEFINITIONS

"Regulation" — General Data Protection Regulation 2016/679 of 27 April 2016, known as GDPR. The purpose of this European legislative act is to protect the "rights and freedoms" of natural persons and to ensure that personal data is not processed without their knowledge, and where possible, that it is processed with their consent.

"Personal Data" — any information relating to an identified natural person or a natural person who can be identified ("data subject"); a natural person who can be identified is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Special Categories of Personal Data" — personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the unique identification of a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

"Processing" — any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Controller" — any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

"Data Subject" — any living natural person who is the subject of personal data held by the Controller.

"Consent of the Data Subject" — any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

"Child" — The General Regulation defines a child as anyone under the age of 16. The processing of a child's personal data is lawful only if a parent or guardian has given consent. The Controller makes reasonable efforts to verify in such cases that the holder of parental responsibility for the child has given or is authorized to give consent.

"Profiling" — any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

"Personal Data Breach" — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

"Recipient" — a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

"Third Party" — a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

PRINCIPLES

When collecting and processing personal data, we are guided by the following principles: lawfulness, fairness, transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability.

DATA SUBJECTS WHOSE DATA WE PROCESS

In connection with its activities, HOME FINISHING concludes and performs distance purchase-sale contracts, reviews job applications and proposals, processes forms for exercising consumers' rights, and handles requests from data subjects, responds to inquiries, issues and receives invoices, processes statistical data, manages a user panel on the site, and conducts advertising activities through advertising campaigns (promotions, games, etc.). In the course of these activities, HOME FINISHING processes information about the following Data Subjects:

(a) Natural persons, users of the site without registration, without leaving any data (in which case we process data but not personal data), and natural persons, users of the site without registration, who have voluntarily provided a limited amount of personal data (e.g. phone number and/or email address);

(b) Natural persons, users of the site with registration as registered users — in these cases we process data about the user that they entered during registration: email address, delivery address, names, billing details, order details, other data entered by the user;

(c) Natural persons who have submitted inquiries (including by phone), requests, initiatives, complaints, or other correspondence to us, including through the site, phone, email, or otherwise;

(d) Natural persons whose information is contained in inquiries (including by phone), requests, initiatives, complaints, or other correspondence directed to us;

(e) Natural persons with whom we enter into contracts (civil, including commercial or employment, most notably distance contracts) electronically (through the site or social networks, as well as via electronic correspondence) or in person at one of our offices or commercial premises;

(f) Natural persons whose data we have received through provision by third parties (e.g. when placing an order intended as a gift).

PERSONAL DATA WE PROCESS

Depending on the reason requiring the processing of personal data, the type of data may vary. The functionalities provided on the Site are not intended for storing and processing special categories of data within the meaning of Articles 9 and 10 of the Regulation. We request only such personal data as are necessary for the provision of the activity/service/product requested from us. In the course of use of the site by natural persons, we may also process other data that do not contain personal data but relate to the subject, such as their IP address, data on their activity on the site, and similar.

Data Provided When Placing an Order

In order to fulfil a distance contract concluded between you and HOME FINISHING (an order), we require certain information from you. You decide whether and how to use the options for concluding a distance sales contract provided through the Site or the Facebook page. In forms through which personal data are entered, we clearly indicate the mandatory or voluntary nature of providing the data. Data whose completion is mandatory are those without which it is impossible to conclude the respective contract. These are: name, email address, delivery address, contact phone number, your payment information (e.g. bank card), billing details, including ID number (EGN) if you wish an invoice issued to a natural person. If you provide data of third parties who will receive the order (e.g. for orders intended as gifts or other types of donations), you bear responsibility for providing the data to those third parties.

Data Provided When Registering on the Site

If you have chosen to store information about yourself on the Site by registering a profile, we store the above-mentioned data, as well as the order history made from each registered account on the Site. The required data coincide with those required when placing an order. In addition, we process IP address and activity data (date and time of registration, acceptance of the Privacy Policy and General Terms and Conditions, login to account, etc.).

Data Provided When Concluding Other Contracts

In cases where HOME FINISHING concludes other contracts with natural persons, other than distance sales, we require full name, ID number (EGN), address, and email address.

Data Provided by, through, and on Other Websites and Applications (Third Parties)

In certain cases, you have the option to share information with social networks or use their sites to create your profile or link your profile on our website to the respective social network. In such cases, the social network may automatically provide us with access to certain personal information they have collected about you (e.g. content you have viewed, content you prefer, information about ads you have been shown or clicked on, etc.). By linking your social network profile to your account on our website, you allow us to access your personal data processed by the relevant social network and to collect, use and retain such information in accordance with this Privacy Policy. This linking of a social network profile with a registration on our website takes place if you click on a link provided for creating a registration on our website through social media integration, thereby voluntarily establishing a connection to the relevant social media site. If you have chosen to register on our site through a social network, we may process your data such as name, phone, email, gender, marital status, age, photo, education, place of birth, place of residence, and other data you have provided to those platforms that are visible to us when you log in with them on our site.

If you provide your personal data to HOME FINISHING via Viber, Skype, Facebook or another platform/social network, we inform you that these platforms/websites/social networks have their own privacy policies, and we accept no responsibility or liability for those policies, insofar as their processing cannot be controlled by HOME FINISHING. In this regard, we recommend that you check those policies before sending us your personal data through these websites/applications.

Data Provided When Publishing a Comment, Review or Post

If you leave a post or comment on this website, your IP address will be saved together with your name, if you have entered this information. This is for the safety of the website operator. If your text violates the law, they would want to be able to trace your identity. Separately, HOME FINISHING is obliged to store such data (referred to as "traffic data") for certain periods and for certain purposes specified below. Because sending comments, inquiries and other messages to the site, Facebook page/group or their administrators constitutes the sending of an electronic statement under the Electronic Document and Electronic Certification Services Act ("EDESА"), the controller is obliged to maintain logs of the fact of sending the statement for a period of 1 year. The log contains the date of the statement, the name and email address of the sender.

Employee Data and Data Collected When Processing Job Applications

We process data when concluding employment contracts and when evaluating and processing job applications. When concluding employment contracts, we require full name, ID number (EGN), address, age, gender, education data, work experience, bank details, and subsequently also process health data. When processing CVs, we process name, address, email address, age, gender, education, work experience, photo, and data voluntarily provided by the applicant during an interview or in the CV.

Data Provided in Connection with Correspondence, Complaints and Reports

For the purpose of resolving submitted complaints, reports, disputes, inquiries, requests or other matters raised in communications to HOME FINISHING, received through electronic forms on the Site, by calls to HOME FINISHING, by regular or electronic mail, HOME FINISHING stores and processes this information, as well as the outcome of such processing. This may include name, email address, phone number, and address.

Furthermore, because sending comments, inquiries and other messages to the site, Facebook page, or their administrators constitutes the sending of an electronic statement under the EDESA, we are obliged to maintain a log of the fact of sending the statement (without its content) for a period of 1 (one) year. The log contains the date of the statement, name and email address of the sender, and identification of the sender.

If you provide us with personal information about someone else, you must do so only with that person's authorisation. You must inform them of how we collect, use, disclose and retain personal information in accordance with this Personal Data Security Policy for Natural Persons.

Technical Data Collected in the Course of Using the Site

In addition, we collect information from your computer, phone, tablet or other device that you use. This information may include the following:

  • The identifier of the device you are using, the type of device and a unique identifier for that device, "log data", including information that your browser automatically sends us when you visit a website; this log data includes the internet protocol address, the address and activity of websites you visit, searches, browser type and settings, date and time of your request, how you used the site, cookie data and device data; if you would like more details about the information we collect, please contact us via the contact form.
  • Location information transmitted by the device, if you have set it to display location data — please note that mobile devices allow you to control or disable the use of location services by any application on your mobile device in the device's settings menu.
  • Computer and connection information, such as page view statistics, IP address, browsing history on the site, language settings, date and time.
  • Quick-search logs to facilitate your searches — quick links to repeat previous searches allow you to repeat your searches instead of entering them each time. The functionality can be used with or without registration. When using the Site, a cookie with a randomly generated number is stored in your browser, allowing the Site to show you quick links to repeat previous searches. The Site stores and displays the last 10 searches associated with that browser, and upon logging into your account, you can save and use them there. If you use the Service with registration (currently an inactive feature), the last 10 searches are stored in your account.
  • Security, technical support, development and other logs:
    • To ensure the reliable functioning of services and identify technical problems;
    • To ensure the security of services and detect malicious activity;
    • To develop and improve site services;
    • To measure the traffic and usability of the site;
    • Logs where required by law (such as logs of electronic declarations);
    • Login log for user profile (account) — this log enables the detection and automatic blocking of unauthorised access attempts to accounts; it is maintained for a period of up to 1 (one) year and contains the date and time of login, status, whether the login is via mobile version, application or desktop browser, IP address;
  • Server logs, logs from security devices (Web Application Firewalls) and other devices in this category. These logs are necessary for identifying technical problems, detecting malicious activity and other purposes listed above; they are stored for a period of up to 1 (one) year. Logs may contain the following information: date and time, IP address, URL, browser and device information. In addition, some devices may use cookie-based security technology.
  • Cookies — the use of cookies is necessary for the functioning of the Site. In this connection, a Cookie Use Policy has been adopted; please refer to the Policy for more details on: the types of cookies we use, the duration of their storage and use, etc.

We may prefer to reduce the volume of data we store and process in line with the purposes of processing.

We do not require and will not collect and process personal data that reveal: racial or ethnic origin; political, religious or philosophical beliefs; trade union membership; genetic and biometric data; health data; or data about sexual life or sexual orientation. If a data subject voluntarily and on their own initiative provides such categories of data, HOME FINISHING bears no responsibility for the provision thereof, and is solely obliged to apply the same protective measures as provided for the requested personal data. We do not transfer data to third countries. We also do not make automated decisions regarding personal data and do not process data of persons under 16 years of age. If you are under the age of 16, you should not provide us with personal data about yourself.

PURPOSES FOR WHICH WE PROCESS YOUR DATA

The primary purpose for which WE process your personal data is, generally speaking, the provision of services through the Site and social networks, namely the conclusion of a distance sales contract and the delivery of goods and services ordered by you, as well as the accounting of revenues. We also use your personal information to provide and improve our Services, to provide you with a personalised experience on our site, to contact you regarding your profile and our Services, to provide you with customer service, to provide you with personalised advertising and marketing based on your interests, to fulfil lotteries and games organised by us, and in certain cases to detect and investigate fraudulent or illegal activities.

HOME FINISHING collects, uses and processes the information described above for the purposes set out in this Policy, which may be related to:

  • Concluding a distance purchase-sale contract for goods/services between you and HOME FINISHING through the Site or social networks — we require your identification, contact and payment data in order to conclude a contract with you, and accordingly, to send you the order;
  • Concluding a consumer credit agreement when you have requested the purchase of a product or service from the Site on credit;
  • Processing payments and preventing fraudulent transactions (we may transfer your data to a third party to perform these functions);
  • Concluding employment contracts and processing and evaluating submitted CVs;
  • Protecting and enforcing the legitimate interests of other users of the Services, third parties and the Site — legitimate interest pursues purposes related to the lawful interests of HOME FINISHING and/or third parties. These purposes include:
    • Identifying and resolving technical or functionality issues, developing and improving the functionality of the Site;
    • Communicating with you, including electronically, on important matters related to the services we provide and the fulfilment of concluded contracts;
    • Targeting our marketing, service updates and promotional offers to you based on your preferences;
  • Receiving and processing complaints, requests and other correspondence;
  • Exercising and protecting the rights and legitimate interests of the Site, including through legal action, and assisting in the exercise and protection of the rights and legitimate interests of other users of the site and/or affected third parties;
  • Administering the website and application and keeping them secure and safe;
  • Analysing and improving the use of our website, application and retail (including using information about how you navigate our website, app and/or stores);
  • Measuring and analysing our advertising and making suggestions and recommendations to you based on the information you share with us;
  • Communicating with you about your profile, resolving issues with your profile. When contacting you by phone for efficiency purposes, we may use automated or pre-recorded calls and text messages;
  • Informing you about products and services for which you wish to receive information by email, post, mobile phone and/or through other digital means (depending on your stated preferences), including social media platforms — only where we have received your explicit consent;
  • Registering you on the website (in which case we will also use your personal information to maintain and update your profile, e.g. change of address or change in marketing preferences);
  • Administering any competitions/lotteries/prize draws conducted by HOME FINISHING;
  • Providing you with location-based services (such as advertising, search results and other personalised content);
  • Fulfilling the statutory obligations of HOME FINISHING, which include:
    • Fulfilling legally prescribed obligations to retain or provide information in view of our tax obligations to the state (e.g. under the Accounting Act and other tax laws — VAT Act, Personal Income Tax Act, Corporate Income Tax Act, Tax-Insurance Procedure Code, etc.);
    • Fulfilling statutory obligations under the Labour Code, the Commercial Register and Non-Profit Legal Entities Register Act, and other regulatory acts;
    • Fulfilling orders received from competent state or judicial authorities (e.g. under the Ministry of Interior Act, the Code of Criminal Procedure, the Electronic Communications Act);
    • Fulfilling obligations provided for in the Data Protection Regulation related to notifying you of various circumstances connected to your rights, the Services provided, or the protection of your data, etc.;
    • Fulfilling obligations provided for in the Consumer Protection Act, such as ensuring the right of withdrawal and the right to a statutory warranty;
    • Defending HOME FINISHING in legal proceedings.

Your data may be processed on the basis of your explicit consent, in which case the processing is specific and to the extent and scope provided for in the respective consent. We typically request such consent from you when we wish to process your personal data without a legal obligation or legitimate interest for HOME FINISHING. Most commonly, we request such consent when we wish to offer you information about new promotions, products, etc.

RETENTION PERIOD OF YOUR PERSONAL DATA

In storing data, WE apply the general principle of storing data in a minimal volume and for no longer than necessary for the provision of Services and the fulfilment of contracts, ensuring their security and reliability, and meeting legal requirements. We will retain your personal information for a period necessary to fulfil the purposes set out in this "Personal Data Protection Policy", unless the law or our legitimate interest requires us to retain it for a longer period. Depending on the type of data and the purposes for which it was collected, a retention period has been established, upon expiry of which the information is permanently deleted.

Type of Data Retention Period / Legal Basis Notes
Registration data (first name, last name, email address, phone, address) and information about the registration and acceptance of the Terms (date, time, IP address) Period: For the entire period of maintaining the account on the Site and up to 5 (five) years after termination of registration. Basis: Performance of contractual relations; fulfilment of legal obligations; protection of legitimate interest. The data identify you as a registered user on the Site. For the purpose of resolving possible disputes arising or becoming known after termination of the Site use agreement and in connection with the EDESA (see below), these data are stored for a period of up to 5 (five) years after account termination. Important! Under the EDESA (see below), some of this data (activity, IP address) must be stored by the controller for a period of up to 1 (one) year after account termination. The extension of the storage period is due to the protection of the controller's legitimate interests.
Personal data from orders and from invoices issued or received by the controller, payment documents (orders, statements), reports and other accounting, reporting and payment documents. Personal data from employee records. Period: For the period during which the rights and obligations of the parties to the legal relationship under which the accounting, reporting or payment document was issued subsist, up to 5 years after termination of the legal relationship. Certain data are stored for a longer legally defined period as they constitute accounting information — transaction data, billing data — between 5 and 50 years. Basis: Fulfilment of legal obligations and protection of the controller's legitimate interests. The data identify you as a party to the distance sales contract and are stored to ensure your rights and fulfil our obligations as taxable persons. Storage is also necessary to ensure the rights of buyers (natural persons) where a time limit has been prescribed (e.g. 2-year warranty). Legal obligations also require the determination of the retention period in the described manner. Under Article 38 of the Tax-Insurance Procedure Code (TIPC), accounting and commercial information, as well as all other information and documents relevant to taxation and mandatory social security contributions, are stored by the obligated person in accordance with the procedure established by the National Archival Fund Act for the following periods: payrolls — 50 years; accounting registers and financial statements — 10 years; documents for tax-insurance audit — 5 years after expiry of the statute of limitations for extinguishing the public obligation to which they relate; all other media — 5 years.
Personal data from correspondence, complaints and reports, requests, initiatives Period: Data from correspondence, complaints, reports, requests, initiatives are stored for up to 5 (five) years under the Obligations and Contracts Act (limitation periods for claims). Basis: Protection of the controller's legitimate interests. For the purpose of resolving submitted complaints, reports, disputes, inquiries, requests or other matters raised in communications to Us, received through electronic forms on the Site or by regular or electronic mail, We store and process this information and the results of such processing. Given the limitation periods under Bulgarian law, this information is stored for up to 5 (five) years.
Log confirming the sending of a comment, inquiry, order or other declaration (contains sender, recipient, date and time of the declaration) Period: For a period of 1 (one) to 5 years. Basis: Fulfilment of legal obligations and protection of the controller's legitimate interests. Because sending a comment, review, inquiry or other statement constitutes the sending of an electronic statement from you to us under the EDESA, the company is obliged to maintain a log of the fact of sending the statement for a period of 1 (one) year. The controller's legitimate interest allows, in certain cases, extending the retention period for this data to 5 years from the date of the statement.
Quick searches (do not contain personal data) Period: Until deleted by you; until termination of your registration or up to 6 (six) months if you use this functionality without registration. Basis: Data subject's consent and protection of the controller's legitimate interests. This option allows you to repeat your searches instead of entering them each time. The functionality can be used with or without registration. Quick links to repeat the last 10 searches are stored. You can change the setting from the browser you are using.
Settings and System Logs (do not contain personal data; may contain information such as: date and time, IP address, URL, browser and device version information) Period: Until deleted by you or until termination of your registration. If stored in a cookie — between 6 (six) and 12 (twelve) months from last use. Basis: Data subject's consent. Fulfilment of legal obligations and protection of the controller's legitimate interests. This category includes settings such as language selection and similar. You control the settings and can change them through your browser. Server logs, logs from security devices (Web Application Firewalls) and other devices in this category. These logs are necessary for identifying technical problems and/or detecting malicious activity.
Information stored in the mobile application For the period of its use (until uninstallation). Information necessary for the technical provision of Services (such as settings, etc.)
Cookies Period: Between 6 and 12 months — depending on the type of cookie and your browser settings. Basis: Data subject's consent and protection of the legitimate interests of the controller. For a description of the cookies used, see "Cookie Use Policy".

Exceptions to Storage Period Rules

Please note that we will not delete or anonymise your personal data if they are required for pending judicial, administrative, arbitration, enforcement proceedings or proceedings for the review of your complaint before us. Deletion will be carried out after the need for the data has ceased, and it is possible that this will be after the expiry of the periods indicated above.

You can always ask us to delete certain information or close your account, and we will respond to that request by retaining certain information, even after account closure, when required by applicable law or legitimate interests. If we are legally obliged, or if it is reasonably necessary to comply with regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our terms, we may retain some of your personal information for a limited period even after you have deleted your profile.

In order to ensure service reliability and protect against data loss for technical reasons, the Site applies a data redundancy policy. The maximum period for updating (deleting data) from all backup copies is 30 days.

DO WE SHARE YOUR PERSONAL DATA WITH THIRD PARTIES?

HOME FINISHING, respectively the Site, does not provide your personal data to third parties unless there is a legal basis for doing so — a legal or contractual obligation, legitimate or vital interest, or your consent. We endeavour to minimise the personal data we disclose, which is always directly related to and necessary for achieving a specific purpose. We do not sell, rent or otherwise disclose your personal information to third parties for their marketing and advertising purposes without your consent. We guarantee that access to your data by private third parties is carried out in accordance with the legal provisions on data protection and confidentiality of information, on the basis of contracts concluded with them.

We may disclose your personal data when we are subject to a legal obligation. In certain cases, HOME FINISHING is obliged to disclose your data to public authorities such as the police, prosecution service, court, in connection with the prevention or detection of crime. This includes exchanging information with other companies and organisations for fraud protection and credit risk reduction purposes. You should be aware that if requested by the police or any other regulatory or state body investigating alleged illegal activities to provide your personal information or other information we receive about you, we have the right to do so after verifying the validity of the request. When we receive sales revenues, we may be required by revenue authorities to provide sales data containing data from your orders, including personal data. In this connection, we provide your data to the accounting firms we work with. It is a statutory obligation of the Site and HOME FINISHING to maintain the security of the networks and data processed by the company. In this regard, we implement a number of measures, the implementation of which may require the processing of your data by IT companies responsible for security in our company.

We may have a contractual obligation to provide your data under a distance sales contract concluded with you, by virtue of which we are obliged to deliver the goods or services you requested via a courier service. The same applies if you have chosen to purchase or pay for a product or service from our Site via payment, credit or banking services, whose providers you share your data with personally or authorise us to do so. If you have chosen to insure a product/service at the time of purchase through the Site, your data will be shared with the insurance companies through the order. If we install a purchased product through a subcontractor, we may provide your data to them in order to carry out the service/warranty service.

Our legitimate interest justifies in certain cases the provision of personal data to third parties. Such would be the situation in proceedings initiated before the Commission for Personal Data Protection, the Commission for Consumer Protection and other state authorities. There is a legitimate interest for HOME FINISHING when we engage other companies and individuals to perform certain tasks on our behalf that complement our services, within the framework of data processing agreements. We would always like you to be informed about the best offers for products/services you are interested in. In this regard, we may provide certain of your data — only with your explicit consent — to providers of marketing/telemarketing services and other companies with which we may develop joint programmes for marketing our goods and services.

Our website may also contain links to and from third-party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we accept no responsibility or liability for these policies. Please check these policies before submitting information to these websites. Our site uses YouTube LLC, represented by Google Inc., for video integration. Normally, when you visit an embedded video page, your IP address will be sent to YouTube and cookies will be installed on your device. However, our YouTube clips are integrated in extended privacy mode (in this case YouTube is still in contact with Google's DoubleClick service, but personal data in accordance with Google's privacy policy is not used). As a result, YouTube does not store any information about visitors unless they watch the actual video. If you click on the video, your IP address will be sent to YouTube and YouTube will know that you have watched the video. If you are logged into YouTube through your user profile, this information will be linked to your user profile (you can prevent this by logging out of YouTube before clicking on the video to watch it). We have no information about the possible collection and use of your data by YouTube. For more information, see the YouTube Privacy Statement at www.google.com/intl/en/policies/privacy/.

TO WHICH COUNTRIES DO WE TRANSFER YOUR PERSONAL DATA?

We currently store and process your personal data in Bulgaria.

Nevertheless, some of your personal data may be transferred to entities located within the European Union or outside of it, including to countries for which the European Commission has not recognised an adequate level of personal data protection.

We will always take steps to ensure that any international transfer of personal data is carefully managed to protect your rights and interests. Transfers of data to service providers and other third parties will always be protected by contractual obligations and, where appropriate, by other safeguards, such as standard contractual clauses issued by the European Commission or certification schemes, such as the Privacy Shield for the protection of personal data transferred from the EU to the United States of America.

You may contact us at any time using the contact details provided at the end of the Policy to find out which countries we transfer your data to and what protective measures we apply in connection with these data transfers.

YOUR RIGHTS REGARDING YOUR PERSONAL DATA

Under the General Data Protection Regulation, you have the following rights:

Right to Information

This Policy aims to provide you with detailed information about the processing of your personal data. Where there is a risk of a breach of the security of your personal data, the controller is obliged to notify you of the nature of the breach and what measures have been taken to address it, as well as whether the supervisory authority has been notified of the breach. The data subject may also request information about all recipients to whom personal data — for which correction, erasure or restriction of processing has been requested — have been disclosed.

Right of Access

You have the right to obtain confirmation as to whether your personal data are being processed, access to them, and information about the manner of their processing and your rights in this regard. As a data subject, you have the right to request confirmation as to whether your personal data are being processed and, if so, to obtain access to your data and the following information: the purpose for which data are processed, what personal data, the recipients of data, and the duration of processing. Access requests must be made in writing/electronically and addressed to the controller. In this case, we provide a copy of the processed personal data in electronic or other appropriate form.

Right to Rectification

You have the right to correct and supplement your personal data if they are incomplete or inaccurate. For registered users, this option is also available in the user panel on the Site. Unregistered users can obtain this information by submitting a request to the controller. As a data subject, you have the right to request rectification or supplementation of your personal data that are inaccurate/out of date or incomplete. For this purpose, you must submit a separate request. Your request will be answered by the controller in writing to the email address you have provided.

Right to Erasure (Right to Be Forgotten) and Account Closure

As a data subject, you have the right to be "forgotten", i.e. to request that your personal data be erased without undue delay — meaning that the controller must erase your personal data from all systems and records where they are stored, including notifying all third parties/data processors to whom it has provided the data.

If you wish, you have the option to close your account on the site at any time. This option is also available in the user panel on the Site. After account closure, all or part of the data is deleted. In connection with our obligations, responsibilities and legal requirements (e.g. the Electronic Communications Act or the EDESA), we may retain certain data for a certain period (see the section above).

In order to ensure service reliability and protect against data loss for technical reasons, the Site applies a data redundancy policy. The maximum period for updating (deleting data) from all backup copies is 30 days.

A request for erasure may be submitted on the grounds provided for in the Regulation, including where one of the following grounds applies:

  • The personal data are no longer necessary in relation to the purposes for which they were collected;
  • Where you have withdrawn your consent;
  • Where you have objected to the processing of personal data and there are no overriding legitimate grounds for the processing;
  • Where the processing is unlawful;
  • Where the personal data must be erased for compliance with a legal obligation under Union or Member State law applicable to the controller;
  • Where the personal data have been collected in connection with the offer of information society services.

Please note that we may refuse to erase some or all personal data where there is a substantial basis and/or legal obligation for their processing. You will be duly informed of this. The controller may refuse to erase personal data on the grounds set out in the Regulation — where the processing of the specific data is for the purpose of:

  • Exercising the right of freedom of expression and the right to information;
  • Compliance with a legal obligation requiring processing under Union or Member State law applicable to the controller, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • Reasons of public interest in the area of public health;
  • Archiving purposes in the public interest, scientific or historical research, or statistical purposes;
  • Establishing, exercising or defending legal claims.

Right to Restriction of Processing

The General Data Protection Regulation provides for the possibility of restricting the processing of your personal data where grounds exist as provided therein. Restriction is permitted in the following cases:

  • When you consider that your personal data are inaccurate, in which case the restriction is for the period necessary for the controller to verify accuracy;
  • When the processing of your personal data is unlawful, but you do not wish them to be erased, and instead wish only the use thereof to be restricted;
  • When the controller no longer needs your personal data for the purposes of the processing, but you, as a data subject, require them for the establishment, exercise or defence of legal claims;
  • When you have objected to processing, pending verification of whether the legitimate grounds of the controller override your interests.

Right to Notification of Third Parties

Where applicable, you have the right to request the Controller of your personal data to notify third parties to whom it has provided your data regarding the rectification, erasure or restriction of processing of your personal data.

Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from us, where the processing is based on consent or a contractual obligation, or where the processing is carried out by automated means.

Important: Responsibility for storing data exported from the Site, as well as for all consequences of providing them to other controllers, lies entirely with you.

Right Not to Be Subject to a Decision Based Solely on Automated Processing

You have the right not to be subject to such automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless there are grounds provided for in applicable personal data protection law and appropriate safeguards are in place to protect your rights, freedoms and legitimate interests.

Right to Withdraw Consent

You have the right, at any time, to withdraw the consent you have given in connection with the processing of personal data on the basis of your previous consent. Such withdrawal does not affect the lawfulness of processing based on the consent given before its withdrawal. For services such as email subscriptions, which are subscribed to on the basis of your wish (consent), there is an option to unsubscribe at any time (withdrawal of consent). In the event of withdrawal of consent, we have the right to request that the identity of the applicant be verified in order to confirm their identity as the person to whom the data relate.

Right to Object

You have the right to object to data processed on the basis of legitimate interest. Upon receipt of such an objection, We will consider your request and, if it is well-founded, fulfil it. If we consider that there are compelling legitimate grounds for the processing or that it is necessary for the establishment, exercise or defence of legal claims, we will inform you accordingly.

Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint against our company (data controller) with the supervisory authority if you consider that the processing of personal data relating to you infringes applicable personal data protection law. The supervisory authority in the Republic of Bulgaria is the Commission for Personal Data Protection, address: 1592 Sofia, 2 "Prof. Tsvetan Lazarov" Blvd., email: kzld@cpdp.bg, website: www.cpdp.bg, phone: 02 915 3 518.

HOW TO EXERCISE YOUR RIGHTS. RESPONSE DEADLINES

You may exercise the stated rights free of charge at any time, via email or by a written request sent to the addresses indicated in the contact form on the Site or at the end of this Privacy Policy. You may address your requests both to the controller and directly to the Data Protection Officer. Requests must be made in a manner that allows the identity of the applicant to be established. In relation to certain rights, technical means for exercising them may be available, for example an unsubscribe button. In all cases, the controller must respond to the request or take a position regarding the exercised right at the address provided in the request, including an electronic address, within one month of receiving it.

In the event that you exercise these rights in a manifestly unfounded or excessive manner, in particular due to their repetitive nature, we reserve the right to impose a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the requested action, or to refuse to act on the request. We will inform you of our fees, where applicable, before responding to your request.

ACCURACY OF INFORMATION

We bear no responsibility for the accuracy of the data you provide, do not carry out verifications in this regard, and do not guarantee the actual identity of the natural persons who have provided the data. In all cases of doubt on your part or established fraud and/or abuse, we ask that you notify us immediately. You undertake, when providing any information on the Site, not to violate the rights of other persons in connection with the protection of their personal data or their other rights.

GENERAL INFORMATION ABOUT THE POLICY

This Personal Data Policy may be amended or supplemented due to changes in applicable Bulgarian or European law, at the initiative of HOME FINISHING or a competent authority.

HOME FINISHING will inform users of amendments or additions to this Personal Data Policy through the publication of the updated Personal Data Policy on our website.

Users are advised to periodically check the most current version of this Personal Data Policy on the HOME FINISHING website.

HOW WE PROTECT YOUR RIGHTS

SECURITY MEASURES

In order to provide the best possible protection of the data of the company and our clients/users/contracting parties/visitors to the Site, WE apply all necessary organisational and technical measures provided for in the General Data Protection Regulation and the Personal Data Protection Act, as well as best practices from international standards. We apply the appropriate and necessary level of protection and have developed effective physical, electronic and administrative procedures to protect the data we collect from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

We store your data on secure servers using the latest encryption algorithms and guarantee the storage of backup copies.

The company has adopted the necessary rules and procedures related to the lawful processing of your personal data, including a Data Breach Response Plan, has established structures for the prevention of abuse and security breaches, and has designated a Data Protection Officer who supports the processes of lawful processing, protection and security of your data.

Access to your personal data is permitted only to those employees, service providers or persons related to them on a need-to-know basis for business purposes or who require it for the performance of their official duties. All employees/workers are required to be trained and to accept the relevant contractual clauses/declarations/rules for compliance with the organisational and technical access control measures before being granted access to information of any kind.

A guiding principle in our structure is that all employees/workers are responsible for ensuring the security of the stored data for which they are responsible and which we process, as well as that data is stored securely and not disclosed under any circumstances to third parties, unless we have granted such rights to that third party by concluding a confidentiality agreement/clause. In this regard, all personal data is accessible only to those who need it, and access may be granted only in accordance with the established access control rules. All personal data is treated with the utmost security and is stored:

  • In a separate room with controlled access; and/or
  • In a locked cabinet to which authorised persons have access; and/or
  • In a computerised system protected by a password in accordance with the internal requirements set out in the organisational and technical access control measures; and/or
  • On computer media that are secured in accordance with the organisational and technical access control measures.

Personal data is deleted or destroyed only in accordance with internal data retention and destruction procedures.

For maximum security in the processing, transmission and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymisation, and backup technology.

We use a payment service to process payments. All payment information is encrypted using SSL technology.

When you post in forums, chat rooms or social network services, the personal information you share is visible to other users and may be read, collected or used by them. In these cases, you are responsible for the personal information you choose to provide.

Despite the measures we apply to protect your personal data, we are aware that in principle the transmission of information over the internet or other public networks is not completely secure, and there is a risk that data may be viewed and used by unauthorised third parties. We cannot accept responsibility for those vulnerabilities in systems that are not under our control. In the event of a data breach involving personal data, we guarantee that we will comply with all applicable notification requirements in such cases.

COOKIE POLICY

As an integral part of this Personal Data Security Policy for Natural Persons, HOME FINISHING has also adopted a Cookie Use Policy, published and accessible both on the Site and on our Facebook page.

CONTACT US

DATA PROTECTION OFFICER

Questions and requests relating to the exercise of your personal data protection rights may be directed to HOME FINISHING via the contact form available on the Site or through one of the contact forms listed below:

"HOME FINISHING" Ltd., UIC 148120124, VAT No. BG 148120124 Registered office and management address: Varna, Western Industrial Zone, 10 "Perla" St. Correspondence address: Varna, Western Industrial Zone, 10 "Perla" St. Contact phone: 052 575525 Email: orders@homefinishing.bg

DATA PROTECTION OFFICER

Correspondence address: Varna, Western Industrial Zone, 10 "Perla" St. Email: orders@homefinishing.bg Contact phone: 052 57 55 25