Privacy Policy

This Privacy and Personal Data Protection Policy (“Policy”) is prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or “GDPR”), the Personal Data Protection Act, and other applicable legislation.
The Policy reflects our commitment to transparency and clarity in relations concerning or on the occasion of the processing and storage of personal data with users of the Vulgarista online store. This document explains in an accessible way what information is collected, why it is collected, how it is used, how we protect it, and, accordingly, what your rights are in relation to this information.
If you have any questions concerning the processing of your personal data, do not hesitate to contact the Controller through the communication channels indicated in this document.

Section I – Information about the Controller

Art. 1 (1) General information about the data controller:
Name: ARISTIDOVA EOOD
UIC: 206480106
Registered office and address of management: Pomorie, 38 Aheloy St.
Correspondence address: Pomorie, 38 Aheloy St.
Phone: +359 899 83 85 60
Email: info@vulgarista.com

(2) For questions related to personal data processing and the exercise of rights under the GDPR, you can contact us at the dedicated email address: privacy@vulgarista.com
(3) The company has not appointed a Data Protection Officer (DPO), as it does not fall within the mandatory cases under Art. 37 of the GDPR.
(4) All personal data protection inquiries are handled by the company manager and authorized personnel.

Art. 2 The supervisory authority for personal data protection to which you may refer if your rights under this Policy are infringed is:
Name: Commission for Personal Data Protection (CPDP)
Address: 1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd.
Email: kzld@cpdp.bg
Website: www.cpdp.bg
Phone: 02/ 91-53-555

Section II – Definitions of Frequently Used Terms

Art. 3. For the purposes of this Privacy Policy, the terms below shall be interpreted as follows:
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Processing of personal data” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
“Data subject” means an identified or identifiable natural person to whom the personal data relate.
“Consent” of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
“Legitimate interest” means an interest of the controller or of a third party which is sufficiently justified to warrant the processing of personal data, provided that this interest does not override the interests or fundamental rights and freedoms of the data subject.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
“Cookies” are small text files stored on your device (computer, tablet, smartphone, etc.) when you visit our website. Cookies help us ensure the proper functioning of the website, improve your user experience, and provide personalized content and advertisements.

Section III – Purposes and Principles in Collecting, Processing, and Storing Your Personal Data

Art. 4. The Merchant observes the following principles when collecting, processing, and storing your personal data:
Lawfulness – All our actions comply with the GDPR and other applicable legal acts. We are responsible for protecting your personal data.
Data minimization – We collect only the minimum amount of personal data necessary to achieve the purposes of processing. We do not collect or store unnecessary information that is not essential for providing our services.
Storage limitation – The period for storing your personal data is limited to the minimum necessary to achieve the purposes of processing.
Confidentiality and security – We are committed to keeping your personal data strictly confidential and ensuring its security. We apply strict protective measures to prevent any misuse.
Protection by design and technology – We use state-of-the-art encryption and other data protection methods to ensure data are inaccessible to unauthorized persons.
Limited access – Access to your data is granted only to designated employees trained to follow strict confidentiality rules. We provide access to third parties only when necessary and in compliance with all legal requirements.

Section IV – Legal Grounds for Collecting, Processing, and Storing Your Personal Data

Art. 5 The Merchant collects, processes, and stores personal data provided by users, registered users, and customers in connection with the use of the online store, provision of certain functionalities, as well as conclusion of distance sales contracts for goods, on the basis of Art. 6(1) GDPR, and specifically on the following grounds:

• Your explicit consent;

• Conclusion of a distance sales contract for goods and performance of our obligations under it;

• Compliance with legal obligations for reporting to state and regulatory authorities applicable to the Merchant;

• For the purposes of the legitimate interests of the Merchant or of a third party under the contract (carrier);

• In other cases expressly provided by law.

Section V – Types of Personal Data the Merchant Collects, Processes, and Stores

Art. 6 (1) The Merchant processes the following categories of personal data and information in relation to the purposes and grounds listed below:

Online order on the site, where it is necessary to provide your identifying personal data (first and last name, phone, email, delivery address)
Purpose of collection:
Performance of the Merchant’s obligations under the concluded distance sales contract for the ordered goods.
Legal basis for processing:
By accepting the Terms and Conditions, the Privacy Policy, registering in the online store, or placing an order through the “Guest checkout” option, a contractual relationship arises between the Merchant and the User, on the basis of which we process personal data – Art. 6(1)(b) GDPR.

Data for delivery (name, phone, address, etc.)
Purpose of collection:
Performance of the Merchant’s obligation to deliver the ordered goods, for which purpose the data are provided to a third party – a carrier.
Legal basis for processing:
Upon acceptance of the Terms and Conditions and the Privacy Policy, at the time of contract conclusion via registration in the online store or guest checkout, a contractual relationship arises, on the basis of which we process your personal data – Art. 6(1)(b) GDPR, as well as for the purposes of our legitimate interest.

Assistance in case of an issue with an order or account registration (transaction data such as the card number used for payment, incl. order information such as recipient details, email address, phone, first and last name).
Purpose of collection:
The Merchant strives to fulfill all orders on time and to ensure the proper functioning of the site. Nevertheless, in certain cases the data subject may encounter a problem whose resolution requires sharing data. This information is shared via the site’s contact form or official email communication.
Legal basis for processing:
By accepting the Privacy Policy, the data subject is expressly informed of the need to share certain data and gives explicit consent, which is the basis for processing your personal data – Art. 6(1)(a) GDPR.

User experience data (IP address, number of orders, ordered goods, favorite products, frequency of visits, last visit, time spent on the site, viewed products)
Purpose of collection:
Optimization of content and design of individual pages in order to personalize distance selling conditions, increase customer satisfaction with the Merchant, and overall improvement of the services provided. The information is anonymized and encrypted and on this basis cannot identify a specific user and their personal details, unless the user is registered.
Legal basis for processing:
The basis for processing your personal data for direct marketing is our legitimate interest as a commercial organization. This allows us to provide you with information about products and services that may be of interest to you. In addition, by accepting the Privacy Policy through a specific action or consent to the use of cookies upon entering the site, including by registering in the online store, we process your personal data – Art. 6(1)(a) GDPR.

Sending a newsletter (email address)
Purpose of collection:
We collect your personal data to send our newsletter, with your explicit consent. The newsletter may contain current news, special offers, and promotions.
Legal basis for processing:
We process your personal data on the basis of your explicit consent. You may withdraw your consent at any time by clicking the unsubscribe link at the bottom of each newsletter we send you. If you withdraw consent, we will remove your data from our newsletter distribution list.

Account registration (email address)
Purpose of collection:
By collecting and processing the relevant groups of personal data, the Merchant can create, manage, and maintain your user account. This includes, but is not limited to, providing access to personalized services, managing orders and purchase history, and ensuring the security of your account against unauthorized access or misuse. The data are also processed for identification in your future actions and communication with us.
Legal basis for processing:
The basis in the above cases is the performance of a contract to which you are a party. This means that collecting, processing, and storing your personal data is necessary to provide the “Account registration” service and to perform the Terms and Conditions (the Contract) between you and the Merchant. Without these data, we cannot create and maintain your account.

Compliance with legislation and requirements of state and regulatory authorities
Purpose of collection:
By collecting and processing the relevant groups of personal data, the Merchant demonstrates transparency in its operations and readiness for inspections by supervisory authorities. Additionally, data are collected for reporting to tax authorities, as well as when their storage is required to comply with legislation.
Legal basis for processing:
The basis in the above cases is compliance with legislation, which is our obligation. This means that we, as the Merchant, are legally obliged to collect, process, and store certain data for the period specified by law.

Art. 7. (1) Regarding processing based on legitimate interest (Art. 6(1)(f) GDPR), the Controller has carefully assessed the balance between its interests and the fundamental rights and freedoms of data subjects, as follows:
(2) To improve service quality (Art. 6(1), item 3), the legitimate interest consists of:

• the need to ensure optimal functioning of the online store, which benefits both the Controller and users;

• prevention of technical problems that could harm user experience or data security;

• obtaining valuable feedback to improve services, which is in the interest of all users.
  (3) For direct marketing to existing users (Art. 6(1), item 5), the legitimate interest consists of:

• keeping users informed about new functionalities that could improve their experience in the online store;

• promoting additional services related to those already used by the user and which may be useful to their activity.
  (4) To ensure that data subjects’ rights and freedoms are not overridden by legitimate interests, the Controller applies the following safeguards:

• limiting processed data to the minimum necessary to achieve the relevant purpose;

• applying appropriate technical measures to protect data;

• providing clear opt-out mechanisms where technically possible;

• enforcing a strict policy for storage and deletion of data after the end of necessity;

• providing transparent information to data subjects regarding processing and their rights.

Art. 8. (1) In accordance with the purpose limitation principle (Art. 5(1)(b) GDPR), the Controller undertakes not to process personal data in a manner incompatible with the purposes for which they were originally collected, unless:

• explicit consent has been obtained from the data subject for the new processing purpose; or

• the processing is necessary for compliance with a legal obligation under EU or Member State law; or

• the new purpose is compatible with the original purpose after an assessment under Art. 6(4) GDPR.
  (2) Where processing for a new purpose incompatible with the original is necessary, the Controller will inform data subjects and seek their explicit consent before commencing the new processing.

Section VI – Retention Periods for Your Personal Data

Art. 9 (1) We store your personal data only as long as necessary to achieve the purposes for which they were collected, or to fulfill our legal obligations.
(2) Retention periods are determined based on the nature of the data, the purpose of processing, legal requirements, and our legitimate business interests.
(3) We regularly review stored data and automatically delete or anonymize data whose retention period has expired.

Art. 10 (1) For core customer profile and order data, we apply the following retention periods, starting from the date of your last activity in our online store.
Identity and contact data:

• Retention period: 5 years from the last order or account activity

• Rationale: Necessary to comply with accounting obligations (5 years) plus an additional period to handle potential claims or legal disputes

• After expiry: Data are fully deleted or anonymized for statistical purposes

Delivery and invoicing data:

• Retention period: 5 years from invoice issuance

• Rationale: Required by Bulgarian accounting and tax legislation

• After expiry: Mandatory deletion except for anonymized data for business analytics

(2) For financial operations and payment-related data, shorter periods apply due to the sensitive nature of the information.
Payment data:

• Retention period: 12 months from the transaction date

• Rationale: Period for possible chargebacks plus additional time for dispute resolution

• After expiry: Immediate and irreversible deletion from all systems

Art. 11 (1) Technical data and information about website use are stored for shorter periods, consistent with their specific purpose.
IP addresses and technical logs:

• Retention period: 12 months from the date of recording

• Rationale: Necessary for system security, abuse prevention, and technical support

• After expiry: Automatic deletion or anonymization for aggregated statistics

Cookie and session data:

• Retention period: From 24 hours to 24 months depending on the cookie type

• Rationale: Technically necessary – until end of session; Analytical – up to 24 months; Marketing – according to your settings

• After expiry: Automatic expiry or deletion upon settings change

(2) For your activity data in the online store we apply flexible periods depending on the nature of the interaction.
Purchase history and preferences:

• Retention period: 2 years from the last purchase

• Rationale: Necessary for personalized recommendations, service, and service improvement

• After expiry: Anonymization for commercial analyses without possibility of identification

Abandoned cart data:

• Retention period: 1 month from last activity

• Rationale: Cart recovery and tracking user intent

• After expiry: Automatic deletion of personal identifiers

Art. 12 (1) Communication data and records of interactions with our customer support are stored for periods that ensure quality service and compliance with legal requirements.
Email correspondence and chat messages:

• Retention period: 2 years from the last message

• Rationale: Necessary to track requests, ensure continuity of service, and protection in legal disputes

• After expiry: Archiving in anonymized form to improve service

(2) For specialized processing cases we apply tailored periods that reflect specific needs and legal requirements.
Claims/complaints data

• Retention period: 2 years from resolution of the claim

• Rationale: Protection in potential legal disputes and compliance with consumer law

• After expiry: Deletion with the option to keep anonymized statistics

Marketing consent data:

• Retention period: Until withdrawal of consent plus 6 months to evidence its validity

• Rationale: Necessary to demonstrate the lawfulness of marketing activities

• After expiry: Deletion of data with retention of a separate record of the withdrawn consent

Art. 13 (1) Data stored to comply with legal obligations are retained for the full term provided by the relevant legislation, regardless of your deletion requests.
(2) Upon a request for deletion of personal data, we will inform you of any data that cannot be deleted due to legal requirements, clearly stating the legal basis and expected term.
(3) Immediately after the expiry of the statutory periods, such data are automatically deleted, unless you request their earlier anonymization.
(4) We maintain a detailed register of all retention periods and automated deletion processes, which you can review upon request.
(5) In case of legislative changes affecting retention periods, we will update the Policy and notify you of material changes.
(6) You may request information at any time about the specific periods applicable to your personal data by contacting us through the provided contacts.

Section VII – Rights of the Data Subject in the Collection, Processing, and Storage of Personal Data. Withdrawal of Consent

Art. 14 (1) The data subject has the right to withdraw consent for personal data processing by completing the form found in the “Annexes” section. This right may be exercised if the person does not wish all or part of their personal data to continue to be processed by the Merchant for a specific or for all processing purposes.
(2) After withdrawal of consent for processing personal data, your account may be deactivated; however, browsing the online store and the offered products, placing orders as a guest, and the possibility of new registration will remain available.
(3) If there is an order that is still being processed, consent may be withdrawn after the order is completed.

Art. 15 (1) The data subject may withdraw consent for processing personal data for direct marketing purposes by selecting the “Unsubscribe” option located at the bottom of every electronic message. If such an option is not available, you must contact the Merchant and inform us of your wish that your personal data not be processed for direct marketing purposes.
(2) The withdrawal of consent will not affect the lawfulness of processing carried out by the Merchant prior to that moment, as well as data that must be stored for a legally established period.

Art. 16 (1) The data subject has the right to request and receive from the Merchant confirmation as to whether personal data concerning him or her are being processed, which personal data are processed, and other information related to the processing.
(2) The Merchant provides, upon request, a copy of the personal data undergoing processing concerning the respective subject, in electronic or other appropriate form.
(3) Access to data is free of charge, but the Merchant reserves the right to impose an administrative fee in the event of repetitive or excessive requests.

Art. 17 (1) The data subject has the right to request rectification or completion of his or her personal data when inaccurate or incomplete in view of the purposes of processing.
(2) The data subject may make the relevant correction independently through their account or by completing the form in Annex No. 3 and sending it to the Merchant’s contact email.

Art. 18 (1) The data subject has the right to request erasure of personal data stored by the Merchant. In such cases, the Merchant must erase, within 5 calendar days, all data for the respective subject that it stores.
(2) To exercise the right to erasure, the User must:

• Submit a request by email by completing and sending the form from the “Annexes” section;

• Verify identity as the account holder (if such account exists).
  (3) If there is an order in processing, the earliest moment to exercise the right is after processing of the order is completed.
  (4) Exercising the right to be forgotten will not affect the lawfulness of processing carried out by the Merchant prior to that moment, as well as data that must be stored for a legally established period.

Art. 19 (1) The data subject has the right to download the data stored and processed about him/her in connection with the use of the online store functionalities. The right is exercised by an email request after completing the form in the “Annexes” section.
(2) The personal data stored by the Merchant may be obtained by:

• Request to the Merchant to provide your personal data in a readable format;

• Request to the Merchant to transfer your personal data that it processes to another Merchant/controller.

Art. 20 The data subject has the right to request and receive, in a machine-readable format, the data stored about him/her.

Art. 21. The data subject has the right to request restriction of processing of personal data in the following cases:

• Contesting accuracy: If you contest the accuracy of your personal data, we are obliged to restrict processing for the period necessary to verify their accuracy.

• Unlawful processing: If you believe that the processing of your personal data is unlawful, you have the right to request restriction of their use instead of erasure.

• Needed for legal claims: Even if we no longer need your personal data for the original purposes, you may need them for the establishment, exercise, or defense of legal claims. In this case, you have the right to request restriction of processing instead of erasure.

• Objection to processing: If you have objected to processing based on our legitimate interest, we are obliged to restrict processing for the period necessary to verify whether our compelling legitimate grounds override yours.
  (2) To exercise this right, you must submit a written application via the Merchant’s official correspondence email.
  (3) During the review period of the request for restriction, the Merchant may continue to store your personal data, but will not process them in any other way unless we receive your consent or it is necessary for the establishment, exercise, or defense of legal claims, to protect the rights of another person, or for reasons of important public interest.

Section VIII – Data Processing and Security

Art. 22 (1) We apply modern technical and organizational security measures to protect your personal data from unauthorized access, loss, alteration, or disclosure.
(2) Security measures are determined based on the nature of the data, the scope of processing, the context and purposes, while considering possible risks to the rights and freedoms of natural persons.
(3) We regularly review and update our security policies in line with technological developments and emerging threats. All protective measures are applied throughout the entire data lifecycle—from collection to final deletion or anonymization.

Art. 23 (1) Our technical safeguards include encryption of data in transit and at rest, use of SSL/TLS certificates for secure communications, and regular encrypted backups.
(2) We apply strict access control to the site database through individual user profiles and multi-factor authentication for administrative access.
(4) All systems are kept up to date through regular software updates and prompt application of critical security patches.

Art. 24 (1) Our organizational measures include staff training on data protection principles, security procedures, and recognition of potential threats.
(2) Access to personal data is granted only to employees with a justified need for this information to perform their duties.
(3) Where an employee has access to personal data, they sign a confidentiality agreement and must follow strict personal data protection rules.

Art. 25 The Controller maintains detailed records of all personal data processing activities in accordance with GDPR accountability requirements. Procedures are in place for rapid response to technical issues, suspected security breaches, or changes in threats.

Art. 26 (1) In the event of a personal data breach, the Controller will take immediate measures to limit damage and restore system security.
(2) For breaches that pose a high risk to your rights and freedoms, the Controller will notify you without undue delay via email, SMS, or another appropriate communication method.
(3) The notification will include a description of the nature of the breach, categories and approximate number of affected persons, likely consequences, and the measures taken to address the breach.
(4) The Commission for Personal Data Protection will be notified within 72 hours of becoming aware of the breach, unless it does not pose a risk to the rights and freedoms of natural persons.

Art. 27 (1) The Controller works only with processors that can ensure appropriate technical and organizational measures for data protection in accordance with GDPR requirements.
(2) All contracts with processors contain detailed clauses on data protection, including confidentiality obligations, use limitations, and security requirements.

Art. 28 (1) The Controller performs technical vulnerability assessments through attack simulations and penetration tests.
(2) The Controller has established data backup and recovery procedures, which are periodically tested to ensure their effectiveness.
(3) All security measures are documented in detail and reviewed at least once a year or upon significant technological or threat changes.
(4) If you have questions regarding the security of your data, you may contact us through the listed contacts to receive additional information on the protective measures applied.

Section IX – Data Sharing and International Transfers

Art. 29 (1) In the course of our activities, we share your personal data only with trusted partners and service organizations necessary to provide our services and fulfill your orders.
(2) All third parties with whom we share personal data are obliged to observe the same high standards of data protection and to process the information solely for the purposes for which it was provided.
(3) We never sell, rent, or provide your personal data to third parties for their own marketing purposes without your explicit consent.

Art. 30 (1) To ensure the technical infrastructure and functionality of our online store, we share certain data with technology service providers.
Category of recipients: Cloud and hosting providers
Specific recipients: SuperHosting.BG EOOD (hosting), Google Analytics (web analytics), Facebook/Meta (marketing analytics)
Data shared: IP address, browser data, pages you visit, time of visit
Purpose of sharing: Ensure technical operation of the website, analyze traffic, and improve user experience
Legal basis: Legitimate interest to maintain and develop our online business

(2) To deliver ordered products to your address, we provide necessary data to courier and logistics companies.
Category of recipients: Courier and logistics services
Specific recipients: Econt AD and Speedy AD
Data shared: Name, phone, delivery address, shipment information
Purpose of sharing: Deliver orders, track shipments, contact the recipient
Legal basis: Contract – necessary for the performance of the delivery obligation

(3) For processing orders for all customers, we use an external company that stores and dispatches all orders:
Category of recipients: Order processing and goods storage
Specific recipients: Econt AD and Speedy AD
Data shared: Name, phone, delivery address, shipment information (type, size, and color of the order)
Purpose of sharing: Create waybills and send to the courier for delivery of orders, track shipments, contact the recipient
Legal basis: Contract – necessary for the performance of the delivery obligation

Art. 31 (1) To comply with our accounting and tax obligations, we provide certain data to professional service organizations.
Category of recipients: Accounting and legal services
Specific recipients: External accounting firm; legal services as needed
Data shared: Invoicing data, sales data, contract information
Purpose of sharing: Bookkeeping, preparation of tax returns
Legal basis: Legal obligation to comply with accounting and tax legislation

(2) Upon request from competent state authorities, we provide personal data to the extent defined by law.
Category of recipients: State institutions and supervisory authorities
Specific recipients: NRA, CPDP, judicial authorities, other competent institutions
Data shared: Data according to the specific legal requirement or order
Purpose of sharing: Compliance with legal obligations, cooperation with state authorities
Legal basis: Legal obligation or protection of vital interests

Art. 32 (1) Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) in cases where we use services from international technology companies.
(2) The main international transfers in our activity include:
United States:

• Google LLC (Google Analytics) – based on the European Commission Adequacy Decision of 10.07.2023 for the EU–US Data Privacy Framework

• Meta Platforms Inc. (Facebook Analytics) – based on the European Commission Adequacy Decision of 10.07.2023 for the EU–US Data Privacy Framework
  (3) For all international transfers to countries without an adequacy decision, we apply Standard Contractual Clauses (SCCs) approved by the European Commission, together with additional technical and organizational protection measures.
  (4) Before each international transfer, we assess the legal framework in the destination country to ensure the level of protection is not lower than that in the EU.

Art. 33 (1) To protect personal data during international transfers, we apply the following additional security measures:
Technical measures:

• Encryption of data in transit (SSL/TLS protocols)

• Pseudonymization of personal identifiers where possible

• Limiting access strictly to the minimum necessary data

• Regular updates and monitoring of security systems
  (2) Contractual measures:

• Inclusion of strict data protection clauses in contracts with all international partners

• Requirement for immediate notification in case of security breaches

• Right to audit and inspect data protection measures

• Obligation to delete data upon termination of cooperation
  (3) Organizational measures:

• Regular review and update of transfer risk assessments

• Documentation of all international transfers and protection measures applied

• Rapid response procedures in case of changes in the legal framework of destination countries

Art. 34 (1) You have the right to be informed about all international transfers of your personal data and to receive details of the protection measures applied.
(2) In the event of material changes in international transfers or the legal framework of destination countries, we will notify you and update this Policy.
(3) In case of revocation of an adequacy decision or other substantial changes in the international legal framework, we will take immediate measures to ensure the continued protection of your data.

Section X – Automated Processing and Profiling

Art. 35 (1) Within its activities, the Controller does not carry out automated decision-making producing legal effects concerning you or similarly significantly affecting you.
(2) All decisions related to processing your orders, providing services, or communicating with you are made with direct human intervention by the Controller’s staff.
(3) The Controller does not use algorithms or automated systems to decide on approval or rejection of orders, pricing, or service conditions.

Art. 36 (1) The Controller does not perform systematic profiling of clients for automated decision-making or creating detailed profiles for commercial purposes.
(2) The main analyses performed are limited to basic statistics on product popularity and general sales trends, without creating individual client profiles.
(3) Product recommendations in the online store are based on general categories and popular items, not on complex algorithms for individual profiling.
(4) Any personalization of the user experience is based on your explicit preferences or purchase history, without automated creation of psychological or behavioral profiles.

Art. 37 (1) If in the future the Controller decides to implement technologies for automated decision-making or profiling, you will be notified in advance and this Policy will be updated.
(2) For any such implementation, the Controller will ensure compliance with all GDPR requirements, including appropriate safeguards for your rights and freedoms.
(3) You will be given the opportunity to obtain human intervention, express your point of view, and contest any automated decision that may affect you.