As a personal data controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR), the company makes every effort to protect the information entrusted to it. This Privacy Policy aims to inform you transparently about the following:

1. The personal data we collect when you use our services
2. The purposes and legal bases for their processing
3. How we protect the privacy of your information
4. The rights you have as a data subject

The document is an integral part of the General Terms and Conditions and applies to all categories of users. Protecting your data is a top priority for us. We use strict technical and organizational measures to ensure the security of the information you entrust.

We recommend that you read this document carefully, as it contains essential information about your rights under data protection legislation. We implement state-of-the-art technical and organizational measures, following the requirements of Article 32 of the GDPR and the Data Protection Act.

Section I - General Information. Terms used.

Art. 1 Details of the data controller who processes and stores your data:

Picture name: Nodika Studio Ltd.

UIC/BULSTAT: 206830866

Registered office: Sofia, Triaditsa district, blvd. Cherni Vrah №31, entr. A, fl. 1

Address for correspondence: Sofia, Triaditsa district, blvd. Cherni Vrah №31, entr. A, fl. 1

Phone: + 359 899 881 168 

Email: nodicastudio@gmail.com

Website: https://nodicastudio.bg/ 

Supervisor Information: 

Name: Commission for Personal Data Protection

Registered office: 1592, Sofia, Blvd., Prof. No. 2 Tsvetan Lazarov

Address for correspondence: 1592, Sofia, Blvd., Prof. No. 2 Tsvetan Lazarov

Phone: 02 915 3 518

Website: www.cpdp.bg

Art. 2 For this Privacy Policy, the following terms shall be construed and understood following the definition set forth for each.

1. "Controller" - a legal entity of Nodica Studio Ltd, which determines the purposes and means of processing and the means of storing and sharing personal data following EU and Bulgarian law.
2. "Cookies are small text files stored on the user's end device when visiting the e-shop and are used to recognize the user on subsequent visits.
3. "Personal data" is any information about an identifiable living individual. Individual data that, when aggregated together, may lead to identifying a specific individual also constitutes personal data. Examples include first and last name, email address, identity card number, location data, and Internet Protocol (IP) address.
4. "Personal data breach" means a security breach that results in the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
5. ''Processing'' means any operation or set of operations that are performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
6. ''Processing'' means any operation or set of operations performed upon personal data or a set of personal data, whether or not by automatic means. Such operations include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available. Processing also covers arranging, combining, restricting, erasing, or destroying personal data.
7. "Pseudonymisation" - the processing of personal data in such a way that the personal data can no longer be associated with a specific data subject without the use of additional information, provided that it is kept separately and is subject to technical and organizational measures to ensure that the personal data are not linked to an identified natural person or an identifiable natural person.
8. ''Consent of the data subject'' means any freely given, specific, informed, and unambiguous indication of the data subject's wishes using a statement or an explicit affirmative action, which signifies their agreement to the processing of personal data relating to them.
9. "Website"/"site" - a distinct location on the World Wide Web accessible via its Uniform Resource Locator (URL) using HTTP, HTTPS, or other standardized protocol and containing files, programs, text, sound, picture, image, or other materials and resources.

Section II - Basis for collecting, processing, and storing your personal data

Art.3 The data controller collects and processes personal data in connection with the use of https://nodicastudio.bg/, in particular on the following grounds:

• Your explicit consent as a user;

• Performance of the Administrator's obligations under a contract with you;

• Compliance with a legal obligation applicable to the Administrator;

• For the legitimate interests of the Controller;

Section III - Principles for the collection, processing, and storage of your data

Art. 4 (1) The data controller shall comply with the following principles when processing and storing your data:

1. Lawfulness, fairness, and transparency - We only process your personal data where there is a legal basis, and we inform you clearly about the purposes and means of processing. All data collection processes through our website comply with applicable law and are described in this policy.
2. Limitation of the purposes of processing - Personal data is collected for specific, explicit, and legitimate purposes, such as sending a newsletter or responding to your inquiry, and is not further processed in a way that is incompatible with those purposes. Cookie data is only used to improve user experience and analyze site traffic.
3. Data minimization - We only collect and process personal data that is strictly necessary to achieve the stated purposes.
4. Accuracy and timeliness of data - We make every effort to keep data accurate and up-to-date, allowing users to update their information as necessary. Inaccurate data is corrected or deleted promptly.
5. Limitation of retention - We retain personal data only for the period necessary to fulfill the purposes for which it was collected or to comply with legal requirements. For example, data from contact forms is retained for up to one year after the last communication.
6. Integrity and confidentiality - We implement appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, or damage. Only authorized personnel trained to protect the data have access to it.
7. Accountability - We can demonstrate compliance with all of the above principles and are accountable for their application. We regularly review and update our data protection processes and measures.

(2) The processing of personal data for marketing purposes, including sending newsletters, always requires users' prior explicit consent.

(3) The controller shall periodically review the data collected and how they are processed to ensure compliance with the data minimization principle.

(4) Where we process personal data based on the Controller's legitimate interest, we carry out a prior assessment to ensure that the rights and freedoms of data subjects do not override that interest.

 

Section IV - Types of personal data and the purpose for which the data Controller processes them 

Section IV - Types of personal data and the purpose for which the data Controller processes them

1. Communication with users

Processed data: name, surname, email address, phone number

Legal basis: legitimate interest (Art. 6 par. one, "f" GDPR) and performance of a contractual relationship (Art. 6 par. one, "b" GDPR)

Purpose of processing: Provide feedback on inquiries, information on services, and technical support

1. Marketing activities

Processed data: email address, name

Legal basis: explicit consent (Art. 6 par. One, "a" GDPR)

Purpose of processing: sending newsletters, news, and updates

1. Improving user experience

Data processed: IP address, device type, browser information, cookie data

Legal basis: legitimate interest (Art. 6 par. one, "f" GDPR) and consent to cookies (Art. 6 par. one, "a" GDPR)

Purpose of processing: user behavior analysis and site optimization

1. Administrative and legal purposes

Processed data: name, surname, email address, telephone number, correspondence address

Legal basis: legal obligation (Article 6(1)(c) GDPR)

Purpose of processing: compliance with legal requirements and defense of legal claims

1. Statistical analyses

Processed data: anonymized data on site traffic and behavior

Legal basis: Legitimate interest (Article 6(1)(f) GDPR)

Purpose of processing: to improve services by analyzing anonymized data

(2) Where the processing of personal data is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

(3) The provision of the personal data referred to in paragraphs 1 to 5 shall be voluntary. If you refuse to provide the necessary personal data for a specific purpose, you may not be able to use the full functionality of the website or the relevant service.

(4) The data controller shall not perform automated decision-making based on your personal data, including profiling.

(5) If the purposes for processing personal data change, the Data Controller will inform you by updating this policy and ask for your consent where it is necessary as a legal basis for processing your personal data.

Section V - Storage periods

Art. 6 The data Controller shall keep the personal data collected only for the period necessary to achieve the purposes set out in this Policy and where it has the right or obligation under law to keep them longer. Various factors will determine the length of retention, such as the duration of the provision of services, if necessary, to establish, exercise, or defend our legal claims or whether we have a legal obligation to retain the data. The periods are as follows:

1. up to 2 years for personal data shared by users on the website, subject to the user's explicit consent to share the relevant data
2. 5 years upon expiry of the limitation periods for bringing claims set out in the Obligations and Contracts Act;
3. 10 years under the Accounting Act for storage and processing of accounting data;
4. 5 years obligations to provide information to the court, competent state authorities, and other grounds provided for in the legislation in force;
5. Customer data and documents on the transactions and operations carried out and documents related to establishing and maintaining commercial or professional relations shall be kept for 5 years (Article 171, paragraph 1 of the Tax Code).  

Section VI - Rights of data subjects and conditions for their exercise

Art. 7 (1) As a data subject, you can withdraw your consent to processing personal data anytime. You can do this using the form in our website's "Applications" section.

(2) Withdrawal of consent shall not affect the lawfulness of processing before withdrawal.

(3) After withdrawal of consent, you will continue to access the website's public content.

Art. 8 (1) You can ask us to confirm whether we process your personal data and provide access to these data and information about their processing.

(2) We will provide you with a copy of your personal data free of charge in electronic or other suitable format upon request. For repeated requests, we may charge a reasonable administrative fee.

Art. 9 You can request the correction of inaccurate personal data or the completion of incomplete data by submitting the relevant form from the "Attachments" section.

Art. 10 (1) You may request erasure of personal data relating to you where any of the following grounds apply:

• the data are no longer necessary for the purposes for which they were collected
• you have withdrawn your consent
• you object to processing
• the data have been unlawfully processed

(2) We will retain a minimum amount of data necessary to authenticate the deletion and for the website to function.

Art. 11 You have the right to request the restriction of processing where you contest the accuracy of the data, in the event of unlawful processing (instead of erasure), where the data are necessary for legal claims, or you have objected to the processing.

Art. 12 (1) You may obtain the personal data you provided in a structured, commonly used, and machine-readable format.

(2) If technically possible, we may transfer the data directly to your designated data controller.

Art.13 You have the right to object to processing your personal data, including for direct marketing purposes.

Art. 14 In the event of a breach of the security of your data, which may pose a high risk to your rights and freedoms, we will notify you immediately and inform you of the measures taken.

Art. 15 (1) To exercise any of the above rights, you may contact us by:

1. E-mail: nodicastudio@gmail.com
2. In writing to. Sofia, Sofia Blvd. 31, entrance A, floor 1
3. Using the forms in the "Annexes" section

(2) We will consider your request and respond within one month of receipt. Considering the complexity and number of requests, this period may be extended by two more months if necessary.

(3) We may request additional information to confirm your identity before acting on your request.

Section VII - Persons who have access to your personal data

Art. 16 (1) To ensure the functionality of the website and to fulfill the legal obligations of the Controller, personal data may be provided to the following categories of recipients:

• Employees of the Administrator who are responsible for communicating with customers and handling inquiries

• Employees of the Administrator's technical department who ensure the maintenance and security of the website

• Accounting and legal department staff concerning the legal obligations of the Administrator

• Technical service providers:

1. 1. • hosting company
      • companies providing website maintenance and marketing positioning
      • content management system providers
      • service providers for sending newsletters

• State and regulatory authorities in the presence of legal grounds - the CPPD, the NRA, the CPC, and other competent authorities

(2) All recipients of personal data are legally bound to respect confidentiality and to implement appropriate technical and organizational measures to protect the data.

(3) The data controller shall provide personal data to third parties only in the presence of a legal obligation or legitimate interest and to the minimum extent necessary to achieve the specific purpose.

(4) When providing personal data to processors, the Data Controller shall enter into written agreements that ensure the data will be processed according to the requirements of the GDPR and applicable law.

Art. 17 (1) The data controller stores and processes your personal data primarily within the European Union (EU) and the European Economic Area (EEA).

(2) Where your personal data needs to be transferred outside the EU/EEA, the Data Controller shall ensure an adequate level of protection by implementing the following safeguards:

1. Use of supervisor-approved binding corporate rules for international data transfers within a group of undertakings
2. Concluding contracts containing the standard contractual clauses adopted by the European Commission, which provide adequate safeguards for the protection of personal data
3. Implementation of approved certification mechanisms or codes of conduct, coupled with legally binding commitments by the recipient to implement appropriate safeguards

(3) Where the measures applied are insufficient, the Administrator shall immediately introduce additional technical and organizational protection measures following the recommendations of the European Commission and best practices in the sector.

(4) Upon your request, we will provide detailed information about the countries where your personal data is transferred and the specific protection measures we apply.

(5) The data controller shall regularly assess the impact of international data transfers and update the safeguards applied according to the risks identified.

Section VIII - Final Provisions

Art. 18 (1) The data Controller shall have the right to update this Privacy Policy to improve the protection of personal data or in case of changes in legislation.

(2) Changes to the Policy shall take effect concerning users upon the occurrence of any of the following circumstances:

1. Upon receipt of express notification from the Administrator and in the absence of objection within 14 days
2. After publication of the changes on the website and no objection within 14 days
3. After explicit acceptance of the changes by the user via the website interface

Art. 19 The provisions of:

1. Regulation (ЕU) 2016/679 (GDPR)
2. Personal Data Protection Act
3. Applicable legislation of the Republic of Bulgaria

Art. 20 (1) The supervisory authority for applying the rules for protecting personal data shall be the Commission for the Protection of Personal Data.

(2) If your rights under applicable data protection law are violated, you may file a complaint with the Personal Data Protection Commission.

Article 21 The invalidity of individual provisions shall not affect the validity of the rest of the Privacy Policy.

(2) In the event of a conflict between this Policy and mandatory statutory provisions, the provisions shall prevail.

Art. 22 (1) This Privacy Policy was adopted and enacted on 01.03.2025.

(2) If there are material changes in how personal data is processed, the data Controller will publish an updated version of the Policy and notify users appropriately.

Section IX - Annexes

Art. 23 You can exercise all your rights regarding protecting your personal data through the forms attached below or the functionalities in your profile.

1. Withdrawal of consent form for processing purposes - Annex 1
2. Request "to be forgotten" - to delete personal data relating to me - Annex 2
3. Request for portability of personal data - Annex 3
4. Request for correction of data - Annex No 4