Privacy policy
Last updated: [insert date when published]
This Privacy Policy explains how Sharm Collection EOOD ("we", "us", "our") collects, uses, and shares your personal data when you visit, use, or make a purchase through our online store at sharm.bg or via any related Services.
We are the data controller for your personal data under the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the Bulgarian Personal Data Protection Act.
By using our Services, you acknowledge you've read this Privacy Policy. If you don't agree, please don't use the Services.
1. Who we are
| Detail | Value |
|---|---|
| Legal name | Sharm Collection EOOD (Шарм Колекшън ЕООД) |
| EIK | 208386189 |
| Registered office | ul. Ivan Mihaylov 64, entr. A, fl. 5, apt. 32, Blagoevgrad 2700, Bulgaria |
| Email for privacy enquiries | sharm.collection.bg@gmail.com |
| Phone | +359 886 626 042 |
We do not have a Data Protection Officer (DPO) — under GDPR Art. 37 it is not required for our scale of processing. Privacy enquiries are handled directly by the company management.
2. Personal data we collect
We collect the following categories of personal data, depending on how you interact with us:
| Category | Examples | Source |
|---|---|---|
| Contact details | Name, billing & shipping address, phone, email | Provided by you at checkout, account signup, contact form |
| Account info | Username, password (hashed), saved addresses, order history | Provided by you when creating an account |
| Order details | Items purchased, sizes, colors, prices, payment method, order status | Generated when you place an order |
| Payment data | Card last 4 digits, payment method type, transaction reference (no full card numbers stored) | Provided to our payment processors (Stripe, PayPal, Klarna) |
| Communications | Messages you send via chat, email, contact form, phone | Provided by you when contacting us |
| Device & usage data | IP address, browser type, device, pages visited, time spent, referring site, cookies | Collected automatically when you use the site |
| Marketing preferences | Newsletter subscription status, opt-in records | Provided by you when subscribing |
We do not intentionally collect special category data (health, religion, political opinions, etc.). Please don't send us such data through contact forms.
3. Legal basis for processing (GDPR Art. 6)
We process your personal data on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Fulfilling your order, communicating about it | Performance of contract (Art. 6(1)(b)) |
| Tax records, accounting | Legal obligation (Art. 6(1)(c)) — Bulgarian Accounting Act requires 5-year retention |
| Marketing emails, personalized advertising | Your consent (Art. 6(1)(a)) — opt-in only, withdrawable any time |
| Fraud prevention, site security, analytics | Our legitimate interest (Art. 6(1)(f)) — running a secure online business |
| Responding to legal requests, defending claims | Legal obligation (Art. 6(1)(c)) and legitimate interest |
4. How we use your personal data
- Fulfilling orders: processing payments, packing and shipping, tracking, customer service, returns and refunds, COD verification by phone or SMS (Bulgaria only).
- Account management: creating and maintaining customer accounts, saving preferences, order history.
- Marketing (only with your consent): sending newsletters about new arrivals, restocks, and promotions; showing personalized ads on Meta (Instagram, Facebook), Google, and TikTok based on your browsing.
- Site improvement: analyzing how visitors use the site to make it faster and clearer.
- Security & fraud prevention: detecting suspicious activity, preventing payment fraud, protecting against bot attacks.
- Legal compliance: maintaining records required by Bulgarian tax law, consumer protection law, and responding to lawful requests from authorities.
5. Who we share your data with
We share your data with the following recipients, each acting either as our processor (handling data on our instructions) or as a separate controller (handling it under their own privacy policy):
| Recipient | Purpose | Location | Role |
|---|---|---|---|
| Shopify Inc. | Hosting the store, order processing, customer accounts | Canada (with global data centers, EU servers used where possible) | Processor |
| Stripe Payments Europe Ltd. | Card payment processing | Ireland | Separate controller |
| PayPal (Europe) S.à r.l. et Cie, S.C.A. | PayPal payment processing | Luxembourg | Separate controller |
| Klarna Bank AB | "Pay later" / instalment processing | Sweden | Separate controller |
| Speedy AD | Bulgarian domestic delivery, COD collection | Bulgaria | Separate controller |
| Econt Express OOD | Bulgarian domestic delivery, COD collection | Bulgaria | Separate controller |
| DPD, GLS | EU cross-border delivery | EU member states | Separate controller |
| Klaviyo Inc. (if email marketing is activated) | Email marketing automation | Ireland (EU servers) | Processor |
| Meta Platforms Ireland Ltd. (if Meta Pixel is active) | Personalized advertising on Facebook/Instagram | Ireland (with data transfers to USA) | Joint controller |
| Google Ireland Ltd. (if Google Analytics is active) | Site analytics | Ireland (with data transfers to USA) | Processor |
| TikTok Technology Ltd. (if TikTok Pixel is active) | Personalized advertising on TikTok | Ireland | Joint controller |
| Tax authorities, courts, law enforcement | When required by law | Bulgaria, EU | Separate controllers |
We do not sell your personal data to third parties.
6. International data transfers
Some of the recipients above (notably Shopify, Stripe, Meta, Google, TikTok) may transfer your data outside the European Economic Area, primarily to the USA, Canada, and the UK.
These transfers are protected by:
- Standard Contractual Clauses approved by the European Commission (Commission Decision (EU) 2021/914), or
- Adequacy decisions for destination countries (Canada, UK have current adequacy decisions; USA is covered by the EU-US Data Privacy Framework as of July 2023).
You can request copies of the safeguards used by contacting us.
7. Cookies and similar technologies
When you visit our store, cookies and similar technologies are placed on your device. They fall into four categories:
| Category | Purpose | Examples |
|---|---|---|
| Strictly necessary | Make the site work (cart, checkout, login) | Shopify session cookies, CSRF tokens |
| Functional | Remember your preferences | Language selector, currency selector |
| Analytics | Understand site usage | Shopify Analytics, Google Analytics (if active) |
| Marketing | Personalized ads and email | Meta Pixel, TikTok Pixel, Klaviyo (if active) |
Strictly necessary cookies don't require consent. The others are activated only after you give consent through our cookie banner. You can change your cookie preferences at any time by clicking "Cookie preferences" in the footer.
8. Data retention
We keep your personal data only as long as needed for the purposes set out above. Specific retention periods:
| Data type | Retention period |
|---|---|
| Order records (incl. invoice data) | 5 years after end of fiscal year (Bulgarian Accounting Act Art. 12) |
| Customer account | Until you delete it, or 3 years after last activity |
| Marketing consent records | Until you withdraw consent + 1 year as evidence of consent |
| Email marketing list | Until you unsubscribe |
| Returns and complaints | 3 years (BG ZZP statute of limitations) |
| Website cookies | Per category, up to 13 months maximum |
| Contact form / email enquiries (no purchase) | 12 months after last contact |
9. Your rights under GDPR
You have the following rights regarding your personal data. To exercise any of them, email us at sharm.collection.bg@gmail.com. We respond within one month, extendable by two months for complex requests.
- Right of access (Art. 15) — request a copy of the personal data we hold about you
- Right to rectification (Art. 16) — correct inaccurate or incomplete data
- Right to erasure / "right to be forgotten" (Art. 17) — request deletion when no longer needed, consent is withdrawn, etc.
- Right to restriction of processing (Art. 18) — pause processing while a dispute is resolved
- Right to data portability (Art. 20) — receive your data in a structured, commonly used format, or have it transferred to another controller
- Right to object (Art. 21) — object to processing based on legitimate interest, including direct marketing
- Right to withdraw consent — anytime, without affecting prior processing
- Right not to be subject to automated decision-making (Art. 22) — we do not make decisions about you that have legal effects based solely on automated processing
You can manage your marketing email preferences directly by clicking the unsubscribe link in any marketing email.
We may need to verify your identity before fulfilling a request. We will not discriminate against you for exercising your rights.
10. Right to complain
If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with the supervisory authority.
For Bulgaria (and as our home authority): Commission for Personal Data Protection (CPDP) / Комисия за защита на личните данни Website: https://www.cpdp.bg Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
If you live in another EU member state, you may also lodge a complaint with your local data protection authority — list at https://edpb.europa.eu/about-edpb/board/members_en
11. Children
Our Services are not intended for children. We do not knowingly collect personal data from children under 16 years of age (the threshold set by GDPR Art. 8(1) and Bulgarian PDPA). If you believe we may have inadvertently collected data from a child, please contact us and we will delete it.
12. Security
We take reasonable technical and organisational measures to protect your data, including:
- HTTPS encryption for all data in transit
- Payment processing by PCI-DSS certified processors (Stripe, PayPal, Klarna) — we never store full card numbers
- Access controls and authentication for our team
- Regular security updates applied by Shopify's infrastructure
That said, no system is perfectly secure. If we ever become aware of a data breach that risks your rights, we will notify the CPDP within 72 hours and notify you without undue delay where required by GDPR Art. 34.
13. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other reasons. We will post the updated version on this page and update the "Last updated" date. For material changes, we will notify you by email or storefront notice at least 14 days before the changes take effect.
14. Contact
For any privacy-related question or to exercise your rights:
Email: sharm.collection.bg@gmail.com Phone: +359 886 626 042 Post: Sharm Collection EOOD, ul. Ivan Mihaylov 64, apt. 32, Blagoevgrad 2700, Bulgaria
For the purpose of GDPR, we are the data controller of your personal information.
Sharm Collection EOOD (Шарм Колекшън ЕООД) · EIK 208386189 Not registered for VAT under art. 96 of Bulgarian VAT Act (micro-business)