This policy details the Company’s practice regarding the processing of your personal data as a visitor/user of https://toll.shop (hereinafter referred to generically as the Site) and is intended to inform you about this subject.

By using the Site, the User acknowledges that he/she has read and agrees to this Privacy Policy, the Cookies Policy and the Terms and Conditions published on the Site.

Contents:

1. Identification of the data controller
2. Personal data protection contact details
3. Processing of personal data through the Site
4. The person concerned
5. Personal data processed
6. Purpose of data processing
7. Recipients of processing
8. Legal basis of the processing
9. Type of processing
10. Data processing and storage time
11. Rights of the data subject
12. Obligations of the Company. Security measures for processed data
13. Liability of the Company
14. Transfer to third countries/international organisations
15. Final provisions

1. Identification of the data controller

LOCATOR BG LTD (hereinafter referred to as the Company)

Headquarters: 1421 Ivan Vazov, Sofia, Bulgaria, bul. “Petko Karavelov” 5, Floor 1, Office No. 3

Unified ID Code (UIC): 201448898

VAT ID Number: BG201448898

Email: info@locatorbg.com

2. Personal data protection contact details

The contact details that the visitor may use to submit any requests, notifications or complaints regarding the Terms and Conditions, the Cookies Policy or this Privacy Policy, as well as with any other information published on the Site, policies or operations carried out by the Company, are indicated above.

The deadline for the Company to send a response is no later than 30 days after receipt of the request.

3. Processing of personal data through the Site

Processing is the carrying out of any operation or set of operations on personal data or on sets of personal data, whether or not by automatic means.

The Company accesses, collects, uses and performs any other steps permitted by applicable law on personal data provided by visitors as indicated in this policy.

Locator BG Ltd collects information from users in the following ways: directly from the user, from traffic reports recorded by the servers hosting the Site, and through cookies.

Information provided directly by the user:

• When the user fills in the fields in the “Contact” section, he/she indicates: name, surname, e-mail address and telephone number (all of which are personal data).

  This information is necessary for Locator BG Ltd to be able to respond to the requests sent by the visitor in question, with the mention that only the fields containing the name, surname and e-mail address are mandatory for the transmission of the message, the communication of the telephone number is being optional (it may be submitted as information, if the visitor wishes to be contacted by the Company by phone).

  Other personal data may be processed by the Company if such information is included in the information/request submitted by the visitor. Locator BG Ltd has not requested such data, but to the extent that they are absolutely necessary to be able to respond to what the visitor has sent via the “Contact” section, personal data will be processed at the request of the Site user.

  Filling in the fields in the “Contact” section is not mandatory either for visiting the Site or for concluding a future service contract with Locator BG Ltd. Moreover, all this information may also be submitted in another way (for example, by submitting written requests to the Company’s office or using Locator BG Ltd’s email address instead of the “Contact” form on the Site).

• When a person agrees to the use of his/her e-mail address for marketing purposes by Locator BG Ltd (newsletters), to receive information about services, news, projects, events and the like.

  The choice of subscribing to the list of recipients of newsletters sent by Locator BG Ltd, and implicitly the processing of data, can only be made after the user has indicated it and ticked the “Subscribe” button, steps that represent the expression of his consent.

  The user who has chosen to receive newsletters from Locator BG Ltd will be able to unsubscribe at any time by simply clicking on the active link called “Unsubscribe” present at the end of each communication received from the Company.

• When a person consents to the use of his/her image, voice, name and surname/nickname chosen for social media platforms and links to them for marketing purposes by Locator BG Ltd, for the display of testimonials in the form of photos and text or video, in the sections called “Testimonials” (personal data that will be processed after obtaining the consent of the data subject).

  The company confirms that none of the personal data indicated above will be used for purposes other than that expressly indicated, in particular will not be processed for marketing purposes without complying with the legal provisions (including those relating to obtaining the consent of the data subject or justifying a legitimate interest of the controller, with full information of the data subject).

Information from the server traffic report:

• When a website is visited, users reveal certain information about themselves, such as IP address, time of visit, location from which the website was accessed. Locator BG Ltd, like other operators, records this information.

Information obtained through the use of cookies:

• Full details of how data is processed in this context are set out in the Cookies Policy on the Site.

4. The person concerned

Since the Company processes personal data of visitors/users of the Site, they are Data Subjects and declare that they are over 18 years of age and that they can express their valid consent (where applicable) freely and without the need for prior approval from a third party that has not been obtained by such visitors.

If the information/requests sent by visitors also contain personal data relating to other persons (and they thus acquire the status of data subject), the Company will process their data strictly in order to be able to respond to that information/request and does not assume any liability in addition to that provided for herein, in the Terms and Conditions or in the applicable legislation.

5. Personal data processed

Any information relating to an identified or identifiable natural person, i.e. the Data Subject, may be personal data.

With regard to the purposes of the data processing indicated herein, the Company seeks to minimize the personal data processed.

Thus, according to the Cookies Policy, the Data Subject will be able to tick the applicable types of cookies where their use is not automatic, in order to ensure him/her a more complete and better experience when browsing the Site.

The Company processes the following personal data for the purpose of sending responses to requests/questions communicated by users using the “Contact” section and for promoting the Company using the “Testimonials” and “Newsletters” sections:

• Of the visitor/user:

• By collecting messages received on the “Contact” section from users and sending replies to them: name, surname, e-mail address and telephone number (if this number is indicated by the user)

• By the user’s express confirmation by ticking the box corresponding to the consent to data processing for marketing purposes on the first page of the Site by clicking on the “Subscribe” button: e-mail address

• By displaying testimonials in the form of photos and text or video, in the “Testimonials” sections: image, voice, first and last name/nickname chosen by the user for social media platforms and links to them, employer name

• Visitor/user IP

Depending on the cookie settings, other data may also be processed (in particular data related to the visitor’s preferences and behaviour on the Site).

• Of persons other than the visitor:

  Depending on the content of the messages sent by visitors/users via the “Contact” section, other data may be processed to the extent indicated, although not requested.

  The company undertakes to comply with the legislation on the protection of personal data also in relation to these third parties, without, however, being obliged to obtain any separate consent in this regard. It is the user who has transmitted such information who assumes full responsibility in this regard and declares that they have agreed to the processing carried out by Locator BG Ltd and have been fully informed in this regard.

6. Purpose of data processing

The Site visitor is the person who accesses this page (i.e. you) and on whom certain personal data are processed for various purposes, namely:

In the case of data provided directly by the user:

• providing answers, clarifications and remedying problematic situations in relation to requests and complaints submitted by the user via the “Contact” section;
• sending information for marketing purposes;
• ensuring compliance with this Privacy Policy, the Terms and Conditions and the Cookies Policy, and applicable legal provisions to protect the rights, property or safety of the Site.

In the case of data obtained through traffic reports:

• identification of the relevant sections of the Site;
• more secure administration of the IT system.

In the case of data obtained through cookies:

• site operation
• depending on the settings set by the visitor, the data may be used for the proper functioning of the Site, obtaining statistical information to improve the services offered, saving preferences, etc. All the details related to this type of data processing can be found in the Cookies Policy.

If the Company intends to further process the personal data for a purpose other than those indicated above, it will provide the Data Subject prior to such further processing with additional relevant information on the secondary purpose, subject to completion of the formalities required by law.

7. Recipients of processing

Personal data of the Data Subject are processed by:

• the administrators and employees/collaborators of the Company who are in charge of the administration of the Site and who are involved in the activities about which the visitor asks questions/submissions through the “Contact” section – will process the name, surname and e-mail address of the visitor/user as well as any other personal data submitted by the visitor/user by message;

• Company associates and employees/collaborators who are involved in the marketing process – will process the email address for newsletters, as well as image, voice, name, surname, nickname on social media and link to the user’s social media platforms and employer name for Testimonials;

• support service providers contracted by the Company to fulfil its contractual or legal obligations, such as:
• IT firm – can access all data recorded in the Company’s online records, including user data;
• the Company’s lawyers – can access all data recorded in the Company’s records in the event of legal issues arising that require their involvement;
• business consultants – can access all data recorded in the Company’s online records, including those of users.

The above list of suppliers is not exhaustive, but indicates the main such collaborating companies. They will be independent operators, associated operators or processors in relation to the Company. Regardless of their capacity, they are obliged to maintain the confidentiality and security of the data subject’s personal data by taking appropriate technical and organisational measures.

Although they are not recipients according to legal interpretations, public authorities (including Consumer Protection Commission and National Revenue Agency) and courts may process any/all of the visitor data obtained through the Site.

8. Legal basis of processing

• Art. 6(1) lit. a GDPR – processing is carried out on the basis of the consent of the visitor/user ➔ applicable situation when data processing is done in the context of cookies accepted by the visitor and which are not absolutely necessary for the functioning of the Site; in the context of filling in data in the “Contact” section; as well as when processing visitor/user data for marketing purposes (Newsletters and Testimonials sections);

• Art. 6(1) lit. c GDPR – processing is necessary for compliance with a legal obligation incumbent on Locator BG Ltd ➔ situation applicable in the context of data processing in relation to competent authorities;

• Art. 6(1) lit. f GDPR – processing is necessary for the purposes of the legitimate interests pursued by the Company or a third party, provided that the fundamental rights and freedoms of the data subject are not violated ➔ situation applicable in the context of data processing for the purposes of the ordinary operation and administration of the Site, as well as in the context of data processing by offering access to service providers.

9. Type of processing

The data processing activities carried out by the Company mainly concern:

• collection of data indicated by the user in the “Contact” form;
• use of data providing answers and feedback;
• the use of data for the purpose of each category of cookie agreed by the user;
• the collection of other unsolicited data provided by the Data Subject in a communication, request or complaint to the Company in order for the Company to respond to and resolve the request or remedy the incident;
• storing the aforementioned data in accordance with the law and within the limits necessary to achieve the purpose in the Company’s secure electronic database;
• allowing access to data to certain employees and external collaborators who provide support services whose activity involves processing data under the condition of assuming the obligation of confidentiality;
• allowing access to data to the competent authorities to the extent required by law.

10. Data processing and storage time

The storage period of personal data collected is:

• until the withdrawal of consent or exercise of the right of erasure or erasure by the visitor for processing of data based on the data subject’s consent;
• for a period of 3 years from receipt of the message in the “Contact” section, in order to be able to demonstrate the measures taken by the Company in consideration of it, in relation to the general limitation period of the right of action before the Bulgarian Civil Code;
• a longer period of time than those mentioned above, where the law so provides or where there is a well-founded reason for doing so (e.g. for the exercise of a right before a court in a dispute which started before the expiry of the storage period indicated herein).

Upon expiry of the above-mentioned periods, all data will be deleted from the Company’s records.

11. Rights of the data subject

Right to information

The Company’s Policies are available to the Data Subject at all times and are posted on the Site. See in this respect this Policy, the Cookies Policy and the Terms and Conditions.

The Company reserves the right to modify/update the content of the Site, including the policies referred to, at its sole discretion, at any time and for any reason (including but not limited to the occurrence of legislative or case law changes that may affect the consequences of what is posted on the Site). Future revisions to this policy will be indicated by a change to the “Last Updated” date at the top. After the date on which the updated policy is published, access to the Site will constitute the user’s acceptance of those updated terms.

However, if there will be significant changes that could affect the rights and freedoms of visitors or it is mandatory to obtain their consent, informing them of such changes will be done by easily visible indications posted on the Site (pop-ups) or by sending e-mails to the addresses provided if applicable. Such significant changes will take effect for visitors within 15 days from the time of the display of the pop-up in question or the transmission of the e-mail by the Company (the manner in which the information will be provided will be decided by the Company on a case-by-case basis).

Regardless of the extent of the change, however, the responsibility for checking the content of the Site (including the Terms and Conditions and posted policies) to keep up to date with the latest versions remains entirely with the user.

Thus, REVIEWING THE PRIVACY AND DATA PROTECTION POLICY, THE TERMS AND CONDITIONS AND THE COOKIES POLICY IS A MUST FOR VISITORS EVERY TIME THE SITE IS ACCESSED AND BEFORE ANY DATA SUBMISSIONS OR ENTRIES ARE MADE, AS CHANGES MAY OCCUR.

Upon request, the Data Subject will be informed of the substance of the contracts concluded with the above recipients where possible and of the source of the data.

Right of access to data

If the Data Subject would like information about the processing, he or she may submit a request to the Company, which will reply within 30 days of receipt.

Right to rectification of data

If the Data Subject wishes to rectify/complete the data, he or she may submit a request to the Company, which will respond within 30 days of receipt.

Right to erasure of data

If the data subject wishes to have his/her personal data deleted, this is possible: at the end of the processing time; if the data are no longer necessary for the purpose of processing; if consent is withdrawn and there is no other basis for the processing; if he/she objects to the processing and there are no overriding legitimate grounds; if the processing is illegal; if deletion is required by law.

Any matters not covered by this Personal Data Protection Policy shall be governed by European Regulation 2016/679, the Personal Data Protection Act as well as any other relevant regulations.

Some data are part of the Company’s records, which it keeps in relation to its legal obligations or legitimate interest. Therefore, not all data can be deleted, according to the law. However, any refusal to delete will be justified by the Company and will be based on a clear legal ground.

Right to restrict processing or object to processing

The restriction of processing may apply if the Data Subject finds that:

• the data are not accurate;
• the processing is unlawful and the Data Subject objects to the erasure;
• The company no longer needs the data but the data subject requests it for a court action and it has not yet been deleted;
• The data subject objects to the processing.

The Company may continue to process the restricted data if it is necessary for the establishment, exercise or defence of legal claims or the protection/defence of a person but only with the consent of the Data Subject.

The Company will communicate to recipients the rectification, erasure or restriction of data unless this is impossible or involves disproportionate effort.

The right to data portability

The data subject or the person indicated by him may receive, upon request, the data processed by the Company. The Company does not assume responsibility for the processing of the data by that recipient.

The obligation to ensure the right to portability is incumbent on the Company only if the processing of those data is based on the consent of the Data Subject or on the conclusion and performance of the contract. The steps shall be taken within a maximum of 30 days of receipt of the request.

Right to object

If possible, the Company will stop the processing of the data of the Data Subject who objects to the processing based on the legitimate interest of the Company or circumstances arise that give rise to the exercise of this right (including profiling).

However, the legitimate reason of fulfilling the Company’s legal obligations or processing for the purpose of establishing, exercising or defending a right in court shall prevail.

Right to complain

The person concerned may submit:

• complaint/application to the address of the Company indicated in point 1 above;
• action in the competent court;
• complaint to the National Authority for Personal Data Protection (www.cpdp.bg).

However, the company wants any conflict/difference to be resolved amicably and is willing to do so.

Right to withdraw consent

The data subject may withdraw his or her consent at any time, without however affecting the lawfulness of the processing prior to the withdrawal or on any other basis.

The right not to be subject to a decision based solely on automatic processing

The company does not practice decision making based on automated data processing.

12. Obligations of the Company. Security measures for processed data

The company complies with the provisions of data protection legislation and has implemented appropriate technical and organisational measures to ensure the security of personal data processed and respect for the rights of Data Subjects. Thus, Locator BG Ltd has implemented measures such as:

• the conclusion of contracts with collaborators in which they have assumed the obligation of confidentiality of the information concerning the personal data processed, as well as the obligation to comply with the applicable legislation in the field of personal data protection;
• training employees and collaborators on the importance of personal data protection and limiting their access to data according to their duties;
• establishing internal procedures to protect personal data;
• a contact address for matters relating to personal data (i.e. the one indicated in point 1 of this policy);
• implementing information security measures;
• not installing structures that allow access to the Site only if a user account is created;
• not setting cookies in addition to those necessary for the operation of the Site, without giving the user a choice that is permanently available.

The Company will also inform the competent data protection authority in the event of a data security incident without undue delay and, if possible, no later than 72 hours after becoming aware of it, unless it is unlikely to result in a risk to the rights and freedoms of individuals. If the notification to the authority is not made within 72 hours, it shall be accompanied by a reasoned explanation for the delay.

In the event of an incident involving the security of personal data, the Company will also inform the Data Subject without undue delay if the breach of security of personal data is likely to result in a high risk to his/her rights and freedoms. However, the aforementioned notification of the Data Subject is not required if any of the following conditions are met:

• The Company has implemented appropriate technical and organisational safeguards and these safeguards have been applied to personal data affected by the personal data breach;
• The Company has taken subsequent measures to ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to materialise;
• would require a disproportionate effort. In this situation, public information or a similar measure is carried out instead, whereby the data subjects are informed in an equally effective way.

Any traffic statistics for users of the Site/application that we provide to third party advertising networks or partner sites are provided only as aggregate data and do not include any identifiable information about any individual user.

Unfortunately, no data transmission over the internet can be guaranteed to be 100% secure. Consequently, despite Locator BG Ltd’s efforts to protect users’ personal data, it cannot ensure or guarantee the security of information transmitted by users via the Site. Users are therefore warned that any information sent via the online environment will be done at their own risk.

In order to reduce this risk, Locator BG Ltd makes available to all interested parties the possibility of sending requests/applications/addresses/messages in physical form to the Company’s headquarters and not necessarily by electronic means.

13. Liability of the Company

The liability of the Company in relation to the Data Subject shall be determined in relation to the capacity held in the respective data processing operation, the reason and place of the incident, the security measures taken, the steps taken to avoid incidents and the compliance with other legal obligations.

14. Transfer to third countries/international organisations

The Company does not transfer outside the EU personal data of the Data Subject collected through the Site.

15. Final provisions

This policy applies to the Company and visitors to the Site (including those who complete forms on the Site).

This document is part of the Company’s set of security policies. Other policies may apply to the topics addressed in this document and will be revised according to specific needs.