Privacy Policy

PRIVACY POLICY

  1. INTRODUCTION

This Personal Data Protection Policy ("Policy") outlines the rules for the protection of personal data of individuals using the Website  ("Platform"), owned by Crafts and Roses Ltd., with UIC BG203965481 and address of management in Sofia, Mladost 2 Residential Complex, bl. 206, Ent. 8, floor 7.

The website fully complies with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("Regulation"), entering into force on 25.05.2018, and the Personal Data Protection Act ("PDPA").

By using The website, you accept and undertake to comply with this Personal Data Protection Policy, the Cookie Policy and the General Terms and Conditions of the Website.

  1. DEFINITIONS

    1. "Personal Data" is any information relating to a natural person (Data Subject) who is identified or can be identified directly or indirectly by an identifier such as: name, civil identification number, location information, gender, address, telephone number, online identifier or by one or more attributes specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

    2. "Processing of personal data" is any action or set of actions carried out with personal data by automated or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, extracting, consulting, using, disclosing by transmission, dissemination or otherwise making the data available, arranging or combining, restricting, deleting or destroying it.

    3. "Subject of personal data" is any natural person who is a User of 

    4. "Website/Site" means the content of www.RoseCosmetics.net domain  and its subdomains;


  1. PRINCIPLES OF PERSONAL DATA PROTECTION

    1. Legality, good faith, transparency

Personal data must be processed lawfully, fairly and in a transparent manner vis-à-vis the data subject. In view of www.RoseCosmetics.net may collect and process your personal data only for the fulfilment of the following purposes:

  1. management of your request and concluded contract

    1.  On the basis of the contract concluded between us and you, we process information about the type and content of the contractual relationship:

      1. personal contact details – full name, contact address, email, phone number;

      2. identification data at payment - three names, unique civil number or personal number of a foreigner, permanent address, CV;

        1. for legal entities – name, address of management, UIC, phone number and email for correspondence

      3. e-mail, letters, information about your requests for troubleshooting, complaints, requests, complaints;

  2. saving correspondence in connection with an order already placed, processing requests, reporting problems, etc.

  3. contacting the User and sending information to him/her.

  4. For the fulfilment of a regulatory obligation.


  1. Purpose Limitation

Personal data must be collected for specific, explicit and lawful purposes and not processed in a way that is incompatible with those purposes. www.RoseCosmetics.net collect and process your personal data for the following purposes: creating an account and providing full functionality when using online services from the Website;

  1. placing orders and purchasing services;

  2. individualization of a party to the contract;

  3. accounting purposes;

  4. statistical targets;

  5. protection of information security;


  1. Data minimization 

Personal data must be adequate, relevant and limited to what is necessary with regard to the purposes for which they are processed www.RoseCosmetics.net  in its capacity as Controller applies anonymity or pseudonymization of personal data, if possible in order to reduce the risks for the data subjects concerned. 

  1. Accuracy

Personal data must be accurate and, where necessary, updated; reasonable steps must be taken to ensure that inaccurate personal data, given the purposes for which it is processed, is deleted or corrected in a timely manner. The Website is not responsible for incorrectly provided data by its Users.

  1. Storage Limit

The Website stores your personal data for a period not longer than the moment of withdrawal of consent to processing. After deletion of your account or successful completion, the Administrator takes the necessary care to delete and destroy all your data without undue delay or to anonymize it (i.e. to bring it into a form that does not reveal your identity).

  1. Integrity and confidentiality

The Website processes your personal data in a way that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, applying appropriate technical or organizational measures;

Where we are required by law, we may provide your personal data to the competent public authority, natural or legal person.


  1. CONSUMER RIGHTS

Each User of the site enjoys all rights for the protection of personal data under the Bulgarian legislation and the law of the European Union. 


  1. Right of access:

The right of access provides each User with the opportunity to obtain a copy of their data, but also the right to receive detailed explanations of whether the data in question are processed lawfully. Each Data Subject has the right to understand the following:

  1. the purposes for which the personal data provided is used

  2. categories of this data

  3. whether the company has shared the data with third parties and, if so, who are those parties

  4. all sources from which the company has obtained your personal data

  5. Storage period for your data

  6. the other rights you have against the company, including the right to rectify your data, to delete your data (in certain circumstances), or to restrict or object to the company's use of your data

  7. if the company uses your data in an automated decision-making process (such as decisions made through artificial intelligence or an algorithm), meaningful information about the logic behind that algorithm, and the meaning and consequences that the company foresees for the use of your information in this way

  8. if the data is sent outside the European Union and, if so, what safeguards are in place to protect your data.


  1. Right to erasure 

The data subject has the right to request the controller to delete the personal data related to him without undue delay, where any of the following grounds apply:

  1. the personal data is no longer necessary for the purposes for which they were collected or otherwise processed;

  2. the data subject withdraws his/her consent on which the processing is based and there is no other legal basis for the processing;

  3. the data subject objects to the processing pursuant to Article 21(1) (GDPR) and there are no lawful grounds for the processing to prevail, or the data subject objects to the processing pursuant to Article 21(2) (GDPR);

  4. personal data have been processed unlawfully

  5. personal data must be erased in order to comply with a legal obligation under Union law or the law of a Member State that applies to the controller;

  6. personal data have been collected in connection with the provision of information society services under Article 8(1) (GDPR).

  1. Right to portability.

The data subject has the right to receive the personal data concerning him/her and which he/she has provided in a structured, commonly used and machine-readable format and has the right to transfer that data to another controller without hindrance where:

  1. the processing is based on consent in accordance with Article 6(1)(a) or Article 9(2)(a) (GDPR) or on a contractual obligation pursuant to Article 6(1)(b) (GDPR); and

  2. Processing is carried out in an automated manner


  1. Right to object.

Users have the right to object to the processing of their personal data before the controller and the controller is obliged to terminate their action, unless it proves that there are compelling legal grounds for it that take precedence over the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.  personal data for direct marketing purposes should be terminated immediately.


  1. PROCESSING OF ANONYMIZED DATA

We process your data for static purposes, this means for analyses in which the results are only aggregate and therefore the data is anonymous. It is not possible to identify a specific person from this information.

  1. For the fulfilment of regulatory obligations

We may be required by law to process your personal data. In these cases, we are obliged to carry out the processing, such as:

  1. Obligations under the Measures Against Money Laundering Act;

  2. fulfilment of obligations in connection with distance selling, off-premises sales provided for in the Consumer Protection Act;

  3. provision of information to the Consumer Protection Commission or third parties provided for in the Consumer Protection Act;

  4. providing information to the Commission for Personal Data Protection in relation to obligations provided for in the legal framework for personal data protection;

  5. obligations provided for in the Accountancy Act and the Tax and Social Security Procedure Code and other related normative acts in connection with the maintenance of lawful accounting;

  6. provision of information to the court and third parties in proceedings before a court, in accordance with the requirements of the regulations applicable to the proceedings;

  7. age verification when shopping online.

  1. For analytics and advertising and remarketing

    1. In order to improve our services and the experience of each User on our site, we use features provided by Google Ads and Meta ads: 

      1. Our sites and applications use Google Analytics, a web analytics service. It is operated by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. Google Analytics uses the so-called "cookies" mentioned above – text files stored on your device that allow us to analyze user behavior. The information generated by the cookie is usually transmitted to a Google server in the USA and stored there. Google Analytics cookies are stored on the basis of Art. 6(1)(f) GDPR. The website administrator has a legitimate interest in analyzing user behavior in order to optimize its online services and advertising activities. To prevent Google Analytics from collecting information about you, please visit the Privacy Policy – Opt Out page

      2.  Your IP address will be truncated by Google within the European Union or other parties to the Agreement on the European Economic Area before it is transferred to the United States. Only in exceptional cases is the full IP address sent to a Google server in the USA and truncated there. Google will use this information on behalf of the administrator of our website to evaluate website usage, compile reports on website activity, and provide other services related to website activity and use. The IP address transmitted by your browser as part of Google Analytics will not be combined with other data stored by Google.

      3. Collection of Demographic Data by Google Analytics Our website uses the demographic characteristics of Google Analytics. This allows the generation of reports containing data on the age, gender and interests of website visitors. This data comes from interest-based advertising based on Google and third-party data. This collection data cannot be attributed to a specific person. You can disable this feature at any time,  by adjusting the ad settings in your Google Account, or by opting out of Google Analytics data collection.

      4. Google AdWords and Google Conversion Tracking, Facebook Pixels and Google AdWords Remarketing Our website uses Google AdWords. AdWords is an online advertising program developed by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). As part of Google AdWords services/tools, we use so-called "Conversion Tracking". Each Google AdWords advertiser has a different cookie. Thus, cookies cannot be tracked through the advertiser's AdWords website. The information obtained through this type of cookie is used to create statistics on advertisers' AdWords conversions. Advertisers are shown the total number of users who clicked on the ad and were redirected to a page with conversion tracking tags. However, advertisers do not receive any information that can be used to personally identify users. If you do not want to participate in tracking, you can opt out of this by simply disabling Google's conversion tracking cookie in your browser settings. This way, you won't be included in conversion tracking statistics.


Google Analytics cookies are stored on the basis of Article 6(1)(f) GDPR. The website administrator has a legitimate interest in analyzing user behavior to optimize their user experience and advertising activities. For more information about Google AdWords and Google conversion tracking, see Google's Privacy Policy: https://policies.google.com/privacy/.

Our website may use cookies such as Facebook Pixel and Adwords Remarketing tag. These two cookies allow us to collect information about users' sessions on our site and analyze them by displaying subsequent advertisements to visitors in Google Analytics for depending on an action performed on the site or other relevant features.


To repay Meta ads – By visiting : Facebook Settings for ads 

Ability to adjust Google Adwords: By visiting Google Ads Settings


  1. Processing and storage times

We delete data collected in accordance with an obligation provided for by law after the obligation to collect and store is fulfilled or dropped, such as:

  1. under the Accountancy Act for storage and processing of accounting data (11 years),

  2. obligations to provide information to the court, competent state authorities, etc. grounds provided for in the legislation in force (5 years).


  1. DATA SECURITY

In order to maximize security in the processing, transmission and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc.

Ensuring the security and confidentiality of the personal data entrusted to you is our priority. Therefore, We apply all appropriate technical and organisational measures in accordance with the applicable legal provisions, taking into account the nature of the personal data transmitted by You, as well as the risks associated with their processing, in order to maintain their security and in particular to prevent any accidental or unlawful destruction,  any kind of loss, alteration, disclosure, intrusion or unauthorized access to them.   


  1. RESPONSIBILITY OF DATA PROTECTION OFFICERS (DPA)

The responsible employees of the company assist the Controller or the data processor in all matters related to the protection of personal data. In particular, they must:

  1. inform and advise the Controller and/or the data processor, as well as their employees, about their obligations under the Data Protection Act;

  2. monitor the organisation's compliance with all data protection legislation, including audits, awareness-raising activities and training of staff involved in processing operations;

  3. to advise when a Data Protection Impact Assessment (DPIA) has been carried out and to monitor its implementation;

  4. act as a point of contact for requests from individuals regarding the processing of their personal data and the exercise of their rights;

  5. cooperate with the Data Protection Authorities (DPAs) and act as a contact point for DPAs on matters related to processing.


  1. INCIDENT REPORTING PROCEDURE

Each User has the right to file a complaint against unlawful processing of his/her personal data with the Commission for Personal Data Protection or with the competent court.

Name

Commission for Personal Data Protection

Registered office and address

G. Sofia 1592, blvd. "Prof. 2 Tsvetan Lazarov Str.

Correspondence address

G. Sofia 1592, blvd. "Prof. 2 Tsvetan Lazarov Str.

Telephone

+3592/91-53-518

Website

www.cpdp.bg


  1. CONTACTS: 

Any User User may send an inquiry or exercise his/her rights under this Privacy Policy through the listed methods of contacting Us provided in the "Contacts" section of the Website.


Cookie Policy


Use of cookies

Cookies are short text files or small packages of information that are stored through the Internet browser of your end device (computer, tablet, laptop or mobile phone) when you visit various sites and pages on the Internet. The main purpose of cookies is to make the user recognizable when he returns to the Website again. Some cookies also have a more specific application, such as to store user behavior on the site and to make it easier for the user to use the Website. More information about how cookies work can be found on the Internet.


How are cookies used on this Website?

We use cookies on this Website primarily for the purpose of facilitating the usability of the site, improving its operation and storing information about user behaviour. In this process, no personal data is stored, i.e. through the cookies on the site we cannot identify you as a person, therefore the Personal Data Protection Act does not apply to the collection of this information. The information collected by cookies is usually used in aggregate form for the purpose of analyzing user behaviour on the Website, which allows us to improve the functionality of the site, user paths and content used.


What cookies are used on this Website?

Session cookies

This type of cookie makes it easier for you to use the site, as they store information temporarily, only within the session of the browser used. Usually, the information stored through them is what goods or services you have added to the cart, which pages of the site you have visited and how you got to certain information. These cookies do not collect information from your end device and are automatically deleted when you leave the Website or terminate your browser session.


Persistent cookies

They enable us to store specific browsing information, such as analyzing visits to the Site, how you reached the Website, what pages you viewed, what options you have selected, and where you are headed through this Website. Tracking this information enables us to make improvements to the Website, including correcting errors and expanding the content. The storage period of this type of cookies varies according to their specific purpose.


Third-party cookies

Our Website contains links to other sites or embedded content from other sites, such as Facebook, YouTube, Twitter, Google+, LinkedIn, partner websites. It is possible that when you visit these sites or open the content from them, cookies from these websites are stored on your end device. It is these cookies that are defined as "third-party cookies", and we have no control over the generation and management of these cookies. For this reason, we advise you to seek information about them and how they manage the websites of the respective third parties.


How can I manage the use of cookies by this Website?

All browsers allow the management of cookies from a specially created folder of your browser. You can block the receipt of cookies, delete all or part of them, or set your preferences regarding the use of cookies before initiating a visit to our site. Please note that deleting or blocking cookies may adversely affect the functions of our Website, and therefore your user experience on it.


Disabling or blocking cookies

Controlling, disabling or blocking cookies is controlled by your browser settings. Please note that the complete prohibition of the use of all cookies may affect the functional presentation of the site, its effectiveness and access to certain information.