PRIVACY AND PERSONAL DATA PROTECTION POLICY
This Privacy Policy has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and the Personal Data Protection Act of the Republic of Bulgaria (PDPA).
1. Personal Data Controller
NATERRA LUXE EOOD, UIC: 208551267, with registered office address: Via Pontica, Sozopol, Bulgaria, is the Personal Data Controller within the meaning of Art. 4(7) of the GDPR.
Contact details of the Controller:
Email: info@naterraluxe.com
Phone: +359878603202
Address: Via Pontica, Sozopol, Bulgaria
Data Protection Officer (DPO):
Reneta Homsi | Email: info@naterraluxe.com
2. What Personal Data We Collect
We collect and process the following categories of personal data:
a) Data provided directly by you:
- Identification data: full name;
- Contact data: email address, telephone number;
- Address data: delivery address, billing address;
- Payment data: information about the chosen payment method (we do not store card details);
- Order data: order history, preferences;
- Communication data: correspondence, inquiries, complaints.
b) Data collected automatically:
- Technical data: IP address, browser type, operating system;
- Usage data: pages visited, products viewed or added to the cart;
- Cookies and similar technologies (see Cookie Policy).
3. Purposes and Legal Bases for Processing
a) Performance of a contract (Art. 6(1)(b) GDPR):
- Processing orders and payments;
- Organizing deliveries;
- Managing returns and cancellations;
- Communication regarding your order.
b) Legal obligation (Art. 6(1)(c) GDPR):
- Issuing invoices and accounting documents (VAT Act, Accounting Act);
- Storing financial records (5-year period);
- Complying with the requirements of the Consumer Protection Commission (CPC), the National Revenue Agency (NRA), and other competent authorities.
c) Legitimate interest (Art. 6(1)(f) GDPR):
- Preventing fraud and protecting systems;
- Improving products and services;
- Analyzing website usage (anonymized statistics).
d) Consent (Art. 6(1)(a) GDPR):
- Sending marketing messages and newsletters;
- Personalizing advertising content;
- Analytical cookies.
4. Data Retention Periods
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Accounting documents | 10 years | Accounting Act, Art. 38 |
| Order data | 5 years | Limitation periods (OCA) |
| Complaints | 5 years | CPA, limitation periods |
| Registration data (account) | Until account deletion + 1 year | Contract |
| Marketing data | Until consent is withdrawn | Consent |
| Technical logs | 12 months | Legitimate interest |
5. Recipients of Personal Data
Your personal data may be shared with:
- Courier companies – for delivery purposes;
- Payment providers – for processing payments;
- Accounting services – for financial and accounting reporting;
- IT service providers – hosting, system maintenance;
- Marketing platforms – only with your explicit consent;
- Competent authorities – NRA, CPC, courts, prosecutor’s office, when required by law.
We do not sell or provide your personal data to third parties for their own marketing purposes.
6. Transfer of Data Outside the EU/EEA
When transferring personal data outside the European Union and the European Economic Area, we apply appropriate safeguards in accordance with Chapter V of the GDPR, including: standard contractual clauses approved by the European Commission, or transfers to countries with an adequacy decision by the Commission.
7. Your Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15 GDPR) – to receive information on whether we process your personal data and a copy of it;
- Right to rectification (Art. 16 GDPR) – to request correction of inaccurate data;
- Right to erasure (“right to be forgotten”) (Art. 17 GDPR) – under certain conditions;
- Right to restriction of processing (Art. 18 GDPR) – under certain conditions;
- Right to data portability (Art. 20 GDPR) – to receive your data in a machine-readable format;
- Right to object (Art. 21 GDPR) – to processing for direct marketing;
- Right not to be subject to automated decision-making (Art. 22 GDPR);
- Right to withdraw consent – at any time, without affecting the lawfulness of processing before withdrawal.
To exercise your rights, please submit a request to: info@naterraluxe.com or in writing to: Via Pontica, Sozopol, Bulgaria. We will respond within 30 days of receiving your request.
8. Right to Lodge a Complaint
You have the right to lodge a complaint with the supervisory authority:
Commission for Personal Data Protection (CPDP)
Address: 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria
Phone: +359 2 91-53-518
Email: kzld@cpdp.bg
Website: www.cpdp.bg
9. Data Security
We apply appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction, including: SSL/TLS encryption of transmitted data, access control to systems, regular security reviews, and staff training.
10. Changes to the Policy
We reserve the right to update this Policy at any time. If there are significant changes, we will notify you appropriately. The date of the last update is indicated at the beginning of the document.
Controller: NATERRA LUXE EOOD | UIC: 208551267 | DPO: Reneta Homsi | Date: 25.03.2026
Disclaimer: This policy is based on the information provided and the extracted sources. It is a draft and may require further review and adaptation to fully comply with all applicable laws and regulations. It is recommended to consult with a legal professional specializing in data protection to ensure full compliance.