Privacy policy

PRIVACY POLICY


Please read the privacy policy carefully.


1. ABOUT THE PRIVACY POLICY


The protection of the personal data of visitors, users and/or customers of our website - https://cueaction.store/ is a top priority for us at "Luka MS" OOD, UIC 208371881 ("We", "Us" or "Our").


This Privacy Policy is provided in accordance with the requirements of the regulatory acts for the protection of personal data, such as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR"), as well as the applicable local legislation in the Republic of Bulgaria.


When we refer to “You” or “Your”, we mean individually and collectively each visitor or user of this website - https://cueaction.store/ , as a data subject.


2. ADMINISTRATOR OF PERSONAL DATA


The following company is the controller in relation to the processing of your personal data, as described in this Privacy Policy:


Luka MS” OOD, registered in the Bulgarian Commercial Register with UIC 208371881, with registered office and registered address: Sofia, p.k. 1404, Triaditsa district, Manastirski Livadi Iztok residential district, 48 Grigor Cheshmedzhiev Str., block 48, entrance B, floor 5, apt. 22


Any data subject may contact Us at any time at the details provided below for any questions, suggestions and/or requests regarding confidentiality and data protection:


Head office and registered office: Sofia, p.k. 1404, Triaditsa district, Manastirski Livadi Iztok residential complex, 48 Grigor Cheshmedzhiev Str., block 48, entrance B, floor 5, ap. 22


or other correspondence address: Sofia, Manastirski Livadi Iztok, ul. "Lavski Rid" Nº 21, Office No. 1


tel.: +359899901389 or +359883574676,

cueaction.store@gmail.com


3. DEFINITIONS


In this Privacy Policy we use the following defined terms:


"Personal data" is any information that can be used to identify you, either alone or in combination with other information;


"Data subject" is any identified or identifiable natural person (you);


"Processing" means any operation or set of operations that is performed on your personal data or on a set of personal data;

"Pseudo-identification" means the processing of personal data in such a way that the personal data can no longer be attributed to you without the use of additional information;


Controller” means the natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of your personal data. We are the controller in relation to the processing of your personal data on our website;


Processor” means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;


4. INFORMATION WE MAY COLLECT AUTOMATICALLY THROUGH COOKIES AND OTHER TECHNOLOGIES


As you browse or use some of the features of our Site, as well as through the use of cookies, We collect personal data. We may collect information about the goods and/or services you have viewed or searched for, and the features of this Site you have used, including time spent and other statistical information. Some types of information may be obtained automatically, such as each time you interact with the Site or use our Services. This information does not necessarily reveal your personal identity directly, but may include information about the specific device you are using, such as your device identification number, operating system, web browser (such as Chrome, Firefox, Safari, Internet Explorer, and others), and your IP address/MAC address/device identifier.


Please see the Cookie Policy available on the Site for additional information on how to manage Our use of cookies.


5. PRINCIPLES FOR COLLECTING, PROCESSING AND STORAGE OF PERSONAL DATA


We process (including, but not limited to: collecting and storing) your personal data only in connection with our activities and in accordance with the requirements of applicable law, including the Personal Data Protection Act of the Republic of Bulgaria and the GDPR. We may also collect data about other people related to you if you have chosen to disclose such information in your communication to us.


When processing your personal data, we are guided by the following basic principles:


  • processing is carried out in a lawful, fair and transparent manner;

  • data is used only for clearly defined and legitimate purposes;

  • storage periods are limited to the time necessary to achieve the specific purposes;

  • only data that is necessary and relevant is processed;

  • accuracy and up-to-dateness of the information is maintained;

  • protection, confidentiality and an appropriate level of security are guaranteed when processing personal data.


6. LEGAL GROUNDS FOR COLLECTING AND PROCESSING YOUR PERSONAL DATA


The legal grounds on which we collect and process your personal data are as follows:


  • Your consent to process personal data;

  • Тhe processing of personal data is necessary for the performance of the controller’s contractual obligations to you;

  • the processing of personal data is necessary to take steps at your request prior to entering into a contract;

  • the processing of personal data is necessary for compliance with the controller’s legal obligations;

  • If an individual decides not to provide some or all of the personal data that is necessary for the specific purpose described above, we may not be able to provide the relevant service. This may include the inability to fulfill contractual obligations to you or difficulty in complying with certain legal requirements, including enabling the data subject to exercise their rights under the GDPR.


7. WHAT PERSONAL DATA DO WE PROCESS?


We process (including, but not limited to: collect and store) the following categories of personal data, each category being related to specific purposes and legal grounds:


• Your basic identification data such as name, telephone number and email address, as well as additional information that you provide at your own request. This data is used to process your inquiries, provide offers, prepare services and communicate with you. The processing is carried out on the basis of your request to take action before a possible contract is concluded, and on the basis of taking action before a contract is concluded, or on the basis of your consent;


• all or some of the identification data such as: name and surname; email address; telephone number; administrative delivery address; unique civil number (EGN) or date of birth and/or other national personal identification number of a foreigner and/or citizen of the European Union, when this is necessary for the issuance of invoices and other accounting or tax documents. The data is processed for correspondence with you regarding the services used and based on the need to take steps at your request, perform a contract or fulfill our legal obligation;


• all or some of the following identification data such as: name and surname; email address; telephone; administrative delivery address, necessary for concluding a contract, making a payment, processing orders, reservations or purchases, including for the performance of the contract, as well as information for the refund of amounts paid in the event of canceled orders, reservations or returned products. This data is processed in connection with account registration, concluding a contract, performing orders or services, returning products, canceling orders, etc. The data is processed to fulfill our contractual obligations to you and/or to comply with legal obligations;


Your IP address, browser settings and preferred language, as well as information about the pages visited and the actions performed, are used to send notifications when you have expressed a desire to receive them.


Your IP address and the pages visited are processed for the purpose of ensuring information security;


• other information that you voluntarily provide, including an email for registering a subscription to receive news, information about Products, promotions and other notifications. This data is processed in connection with the performance of a contract, on the basis of consent or to comply with regulatory obligations.


It should be noted that data about your bank card, through which you make payments on the website of the administrator-merchant, are not stored and processed by the latter. Your bank card data is processed by the Payment Processor - a third party that processes electronic payments, which at the time of entry into force of these General Terms and Conditions is Shopify, information about which is available on the following web page https://www.shopify.com . The data that is processed for the purpose of payment may include: names of the cardholder; card number (the full number is processed only by the payment system); validity date; CVC/CVV code (three-digit code, indicated on the back of the card); amount and order number.


We may only have access to information about the successful transaction (amount, date, last 4 digits of the card, order identifier) for reporting and customer service purposes.


By accepting this Privacy Policy, you expressly agree to the processing of the specified data by Shopify for the purpose of concluding a contract with Us and processing payments. Shopify's Privacy Policy can be accessed at the following link

https://www.shopify.com/legal/privacy/consumers


8. AUTOMATED DATA PROCESSING AND PROFILING


We do not use profiling and will not make automated decisions about you that may significantly affect you, unless (i) the decision is necessary as part of a contract we have with you, (ii) we have your explicit consent or (iii) we are legally obliged to use the technology.


9. SPECIAL CATEGORIES OF PERSONAL DATA – SENSITIVE DATA


We do not collect or process from you data of the so-called "special categories of personal data", such as information about racial or ethnic origin, political opinions, genetic or biometric data, as well as information related to the sex life or sexual orientation of individuals.

 

10. PROVISION OF DATA FROM YOU TO THIRD PARTIES


We usually receive personal data directly from the personal data subject. When you provide personal data to third parties in order for them to receive the order (for example, when ordering as a gift or other donation), or when personal data is provided for personalized goods and/or services (including Custom-Made Goods and Services under the Terms and Conditions), the responsibility for sharing and informing these persons about the data provided is entirely yours.


11. HOW LONG DO WE KEEP YOUR PERSONAL DATA?


We store your personal data for the minimum period necessary to fulfill the purposes set out in this Privacy Policy, unless we are legally obliged and/or have the right to keep it for a longer period.


Unless otherwise stated or required by applicable laws, please also note that we generally apply the following retention periods:


  • Personal data provided via a communication channel is stored until the inquiry is fulfilled or the query is satisfied, and for a maximum of two years thereafter for internal statistical and marketing analyses;

  • Personal data of customers processed in connection with contracts between Us and the relevant person is stored for up to ten years, starting from 1 January of the year following the year in which the contract is reported for tax purposes;

  • Personal data related to the issuance of tax documents (invoices) is stored for up to ten years from 1 January of the year following the year reported for tax purposes;

  • Personal data provided with your explicit consent is stored until the moment of withdrawal of your consent, unless another ground for processing personal data applies to them, for which a longer storage period applies.

     

We will retain personal data after the expiry of these periods if we are obliged to do so in order to comply with the law in cases of pending proceedings or complaints that would reasonably require the retention of personal data, or for regulatory or technical reasons. When we store this data, we will continue to ensure that the confidentiality of data subjects is protected.


After the relevant deadlines have expired, we take the necessary measures to securely delete or destroy the personal data without unnecessary delay.


12. WHAT ARE YOUR RIGHTS AND HOW TO EXERCISE THEM?


The GDPR grants data subjects a number of individual rights. Please note that these rights are not absolute and may not apply in certain circumstances.

Such rights are:


  • Information or confirmation as to whether or not your personal data are being processed;

     

  • Right of access to information on, for example, but not limited to: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data are or will be disclosed;

     

  • Right to rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by providing additional declarations/documents;


  • Right to erasure (so-called right to be forgotten) of personal data relating to you in certain circumstances. This right only applies to data stored at the time of receipt of the request. It does not apply to data that may be created in the future. Please note that where we are legally obliged to process certain personal data, then the right to erasure will not apply to them. We would also like to clarify that the right to be forgotten applies in such a way that the erasure will be carried out in relation to operational systems, but the data will remain in the backup environment for a certain period of time until it is overwritten. This means that we will put the backup data "out of use" even if it cannot be overwritten immediately (the backup copy is simply retained in our systems until it is replaced in accordance with an established schedule);

     

  • Right to restriction of processing in certain circumstances. This is an alternative to requesting the erasure of your data where, for example (but not only) the processing is unlawful, but the data subject does not want their personal data to be erased, but instead wishes to have their use restricted, unless this proves impossible or involves a disproportionate effort;

     

  • Right to data portability, insofar as the processing is based on consent or a contract and is carried out by automated means. This right allows data subjects to receive and reuse their personal data for their own purposes across different services, from one information environment to another, in a safe and secure manner, without affecting their usability;

     

  • Right to object to the processing of personal data. For example (but not limited to) the data subject has the right to object at any time to the processing of their personal data for marketing purposes. However, if the data subject objects to other uses, we may refuse to comply with the objection, but only if we can demonstrate that we have compelling legitimate grounds for continuing to process your data which override your objection. In particular, the data subject has the right to object at any time to processing based on legitimate interest, in which case we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims;

     

  • Avoidance of automated decision-making (without human intervention), such as profiling, which uses personal data to make calculated inferences about natural persons. There are strict rules for this type of processing and data subjects have the right to object and request a review of the processing if they consider that these rules are not being complied with;


  • The right to withdraw the consent given to the processing of your personal data at any time and we will cease processing the information concerned. Please note, however, that consent is only one of several legal grounds for processing personal data, so exercising this right does not mean that there is no other legal basis.

     

Information on the action taken within one month of receipt of the request. If necessary, this period may be extended by a further two months, taking into account the complexity and number of requests.


Information in the event of a data breach which is likely to result in a high risk to the rights and freedoms of the data subject.


13. EXERCISE OF RIGHTS


If a data subject wishes to exercise any of the above rights, he or she may at any time contact us directly at the contact details provided in this Policy, including at the following email address: cueaction.store@gmail.com


In addition, data subjects have the right to lodge a complaint with the competent supervisory authority and the competent courts if the data subject considers that the processing of their personal data infringes the provisions of applicable privacy laws, including this Privacy Policy.


Please note that you can register a complaint with the competent supervisory authority. You can find the contact details of the competent authorities in the EEA at:


https://edpb.europa.eu/about-edpb/about-edpb/members_en


The details of the Bulgarian competent supervisory authority for data protection are:


Commission for Personal Data Protection


Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.


GPS coordinates: N 42.668839 E 23.377495


Email: kzld@cpdp.bg


Website: www.cpdp.bg


Tel. 02/91-53-519


14. HOW AND WHY MAY WE SHARE OR TRANSFER PERSONAL DATA TO THIRD PARTIES, THIRD STATES AND INTERNATIONAL ORGANIZATIONS?


When necessary, we may provide (share or transfer) personal data about you:


  • to anyone as a result of a restructuring, sale or acquisition, or to anyone to whom we transfer or may transfer our rights;

  • if We are obliged or permitted to do so by law, regulation, court order or order of a supervisory, regulatory or similar authority;

  • accountants, professional consultants and lawyers – for the purposes of financial, accounting and administrative services of our business;

  • cloud platforms for data processing and storage – for organizational services, for example, storing and processing contracts with personal data subjects for the purpose of higher security;

  • postal service providers – for sending goods, the subject of purchase and sale;

  • IT service providers and system administration – for maintenance and improvement of the security of the website and data processing;

  • companies providing marketing services – to optimize the operation of the site and more reliable communication with website users;

  • providers of third-party information storage services (hosting companies) – to fulfill contracts with website users.

     

Please note that the transferred data is limited to the purpose for which it is transferred. Adhering to this concept, we provide access to information to third parties only after a detailed review of the documentation and only if they meet the requirements of the applicable regulatory regime. This review carefully examines the competence of each third party, as well as the technical and organizational measures for data protection.


If your personal data is transferred outside the EEA to a country whose data protection standards are not considered adequate, we ensure that other measures ensure data protection. The safeguards will include the use of contractual clauses approved by the European Commission and/or other appropriate safeguards to ensure that personal data is sent and received in accordance with applicable regulatory enactments.


We may disclose your personal information to the extent that we are required to do so by applicable privacy legislation.


In the event that a data subject requests the deletion of their personal data from our database, We will only retain such data as is necessary to protect our legitimate interests or to comply with the requirements of public authorities.


15. HOW DO WE PROTECT YOUR INFORMATION?


We take all reasonable steps to ensure the confidentiality of personal data and any other confidential information provided to us that is not personal data. We will comply with our confidentiality obligations and will establish and maintain adequate security measures to protect confidential information from unauthorized access or use.


We cannot be held responsible for third-party sites to which the Website links or for their policies. If you click on a link to a third-party site, please read the privacy policy/notice of the said site carefully and decide whether it is appropriate for you to use it.


16. CHANGES TO THE PRIVACY POLICY


We reserve the right to make changes to this Privacy Policy at any time, so please check back periodically for changes.

This Privacy Policy is prepared in Bulgarian and English. In the event of a conflict between the two versions, the Bulgarian version shall prevail.

This Privacy Policy is effective from 19.02.2025.