Art. 1 "Neyso" Ltd., VAT number: BG206627990, its main business is: trade in clothing and textiles, online trade, production of clothes and accessories, fashion design, consulting services on clothing, image, personal style and shopping, as well as graphic design services, wholesale and retail trade in the country and abroad with industrial, food, agricultural goods, entrepreneurial and intermediary activity, domestic and international transport, forwarding activity, import and export, as well as any activity not prohibited by law.
The company, which through the platform www.neyso.eu, is the administrator of personal data, according to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons, in connection with the processing of personal data and on the free movement of such data.
"Neyso" Ltd. invests all the necessary resources and implements the strictest measures to protect the security and integrity of all personal data collected from our customers. We follow the principles of legal, conscientious and transparent processing of personal data for our customers.
Therefore, we collect and process the data provided only with a view to specific, explicitly stated and legitimate purposes and do not further process in a manner incompatible with these purposes.
We have implemented systems and processes to ensure that the data we collect and store is kept to a minimum and is linked to and limited to only what is necessary to fulfil the purposes for which we collected it. We strive for your personal data to always be accurate and up-to-date, and we also rely on you, if you find an inaccuracy in your data, to remove it in a timely manner.
We assure you that we have implemented systems to ensure that we do not store your data for longer than is necessary for the purposes for which it is processed.
Also, we draw your attention to the possibility at any time and without the need to provide reasons, to withdraw your consent to process your data and to delete it if you wish, unless there are other legitimate grounds for keeping it. As it is a priority for us that the processing is carried out in a way that ensures an appropriate level of security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, we have implemented security and restricted access mechanisms.
Art. 2 This privacy and cookie policy (the "Policy") provides information on the personal data that the Company processes and on the terms and conditions by which individuals whose personal data is processed exercise their rights.
Art. 3 Definitions. For the purposes of this Policy:
"Personal data" means any information related to an identified person or an identifiable person ("data subject"); an identifiable person is a person who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier or by one or more characteristics specific to the physical, the physiological, genetic, psychic, mental, economic, cultural or social identity of that person;
"Processing" means any operation or set of operations performed on personal data or a set of personal data by automatic or other means such as collection, recording, organisation, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, distribution or other way in which the data is made available, arranged or combined, restricted, deleted or destroyed;
"Restriction of processing" means marking stored personal data in order to limit their processing in the future;
"Pseudonymisation" means the processing of personal data in such a way that the personal data can no longer be linked to a specific data subject without the use of additional information, provided that it is stored separately and subject to technical and organisational measures in order to ensure that personal data is not linked to an identified individual or an identifiable one;
"Personal data register" means any structured set of personal data that is accessed according to certain criteria, regardless of whether it is centralised, decentralised or distributed according to a functional or geographical principle;
"Controller" means an individual or legal person, public body, agency or other structure which alone or jointly with others determines the purposes and means of processing personal data; where the purposes and means of such processing are determined by Union law or the law of a State Member State, the controller or the special criteria for its designation may be established in Union law or in the law of a Member State;
"Personal data processor" means an individual, public body, agency or other structure that processes personal data on behalf of the controller;
"Recipient" means an individual, public body, agency or other structure to which the personal data is disclosed, regardless of whether it is a third party or not. At the same time, the public authorities that may receive personal data within the framework of a specific investigation in compliance with Union law or the law of a Member State, are not considered "recipients"; the processing of this data by the specified public authorities complies with the applicable data protection rules in accordance with the purposes of the processing;
"Third party" means an individual, public body, agency or other body other than the data subject, the controller, the personal data processor and the individuals who, under the direct supervision of the controller or the personal data processor, have the right to process the personal data;
"Data subject consent" means any freely expressed, specific, informed and unequivocal indication of the will of the data subject, by means of a statement or clear affirmative action, which expresses his consent to the personal data relating to him being processed;
"Personal data security breach" means a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access of personal data that is transmitted, stored or otherwise processed;
"Supervisory authority" means an independent public authority established by a Member State pursuant to Article 51 of the General Data Protection Regulation.
Art. 4 The principles related to the processing of personal data are:
Principle of legality, good faith and transparency of personal data processing - the collection of personal data must be within the scope of what is necessary. Information is collected in a legal and objective manner;
Principle of reducing data to a minimum, as well as limitation of purposes and storage - personal data must not be used for purposes other than those for which they were collected, except with the consent of the person or in the cases expressly provided for by law. Personal data must be stored for a period no longer than is necessary for the purposes for which the personal data are processed;
Principle of accuracy - personal data must be precise, accurate, complete and up-to-date, as this is necessary for the purposes for which they are processed;
Principle of integrity and confidentiality - personal data must be processed in a way that ensures an appropriate level of personal data security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organisational measures.
Art. 5 Types of processing.
For more information regarding the types of data, purposes and means of their processing, please read below.
On contractual and pre-contractual basis for the purposes of processing of an order and its delivery: We collect your data on a voluntary basis when you provide it to us, in view of your stated desire to enter into a contract for the services we provide. After the conclusion of the Contract, your data will be processed in your capacity as a party to this contract and in connection with the performance of our obligations under it. Providing this data allows us to identify the relevant individual as a party to the contract and as the holder of the rights/obligations under it. The three names, the unique civil number and the address of the person are part of the minimum content of each contract. In the event that a person refuses to provide them, "Neyso" Ltd. will not be able to conclude a contract. In order to be able to fulfil the concluded contracts, it is necessary to process the personal data of the individuals with whom we have concluded them. Otherwise, it will be impossible for us to fulfil our contractual commitments.
Data identifying the person placing the Order (the Client/Customer):
- Name and family name;
- Delivery address;
- Phone number;
- Email address;
- IP address;
- Account’s data (for registered Customers)
Payment data (according to the preferred method of payment)
- Payment data via bank (bank transfer or card payment)
On a legal basis:
- When payment requires an accounting document to be issued;
Accounting data pursuant to the Value Added Tax Act:
- Full name of the Client when the latter is an individual or a representative, when the person ordering is a legal entity, with the exception of a statutory representative, registered in the Commercial Register;
- VAT identification number.
When fulfilling this obligation, the relevant information and documents that contain personal data are stored for the periods stipulated in the relevant laws.
On a legal basis, when according to the applicable legislation, we are obliged to provide information to competent authorities.
Based on explicitly stated consent for the purposes of:
- creation and management of аccount, to the extent that registration on the Website is not mandatory for its use and creation of Account is a matter of free choice on the part of the Client for tracking and managing his/her Orders:
- Name and family name;
- Email address;
- Phone number;
- Password;
- A list of chosen products;
- A list of delivery and invoice addresses entered by the Client;
- Order history;
- History of profile visits;
- Discount vouchers;
- A list of payments (without stating transaction data);
- A list of reimbursed amounts for returned or cancelled Orders;
- Receiving direct marketing messages, including personalised offers, promotional activities and other marketing activities:
User data - Email address;
- Participating in contests, marketing campaigns and marketing surveys:
User data, which may consist of:
- Email address;
- Name;
- Address (if an award / gift is provided for the purpose of their delivery);
- Phone number (if an award / gift is provided for the purpose of their delivery);
- Any further personal details that might be specifically required for the purposes of the specific contest, campaign or survey;
Neyso Ltd. processes data for business analysis of the sales extrapolated as depersonalized anonymous data on the basis of legitimate interest:
Anonymized data
- Statistical information for the total number of visits on the Websites and determination fo the incoming traffic to the Website, effected deliveries, requests for assistance and complaints accepted;
- Improvement of the services and products provided by Neyso Ltd.
We may process personal data on the basis of legitimate interest when it is also necessary to settle legal disputes.
Art. 6 (1) Use of cookies. The marketing activities related to the analysis of user’s behaviour and advertising with the provision of explicit consent in electronic form by marking in the bar at the bottom of the homepage of the Company's website or from the "Cookie settings" menu of this Policy are carried out and by processing data that do not allow the identification of an individual (e.g. name, surname, telephone number, address, etc.), but by the user's activity through the relevant browser through the so-called cookies or advertising banners, which contains the following data:
- Events related to the activity of the Company's site (number of pages viewed on the site, products viewed on the site, searches on the Company's site);
- Information related to the user's device (device type, operating system and version);
- Approximate location derived from the IP address.
(2) The activities under paragraph 1 are carried out through so-called "cookies", which are used by the Company or by third parties - partners of the Company. Cookies are small packets of information sent by website pages to a user's browser and stored on their device. In addition to cookies, in some cases the Company may also use pixel tags or other similar technologies. Pixel tags are tiny images that may be included on the Company's sites, services, applications, and communications that typically function in conjunction with cookies. All these technologies are referred to as "cookies" in this Privacy and Cookies Policy.
(3) For the processing of the data under paragraph 1 through cookies and advertising banners, the user must provide his express consent to the use of cookies in electronic form by marking in the bar at the bottom of the homepage of the Company's website or from the "Cookie settings" menu. The provision or withdrawal of consent does not applies to the use of necessary cookies, since without them the Company's website cannot operate.
Art. 7 Duration of the processing.
- Data is processed within the following time limits:
- Data processed for the purposes of conclusion and performance of the distant sales contract – the limitation periods for asserting legal claims as provided by applicable law;
- Data processed for accounting purposes – as provided by applicable law;
- Data provided on the basis of consent – until its withdrawal. You can always withdraw your consent also online through the options of your Account (if and when applicable).
- Data for and in the Account – until the Client deletes its Account;
RIGHTS OF DATA SUBJECTS AND PROCEDURES FOR THEIR EXERCISE
Art. 8 (1) Subjects of personal data have the following rights regarding their personal data:
- right of information;
- right of withdrawal;
- right of access;
- right of rectification;
- right to data portability;
- right to erasure (right to be forgotten);
- right to request restriction of processing;
- right to object to the processing of personal data;
- right of the subject not to be subject to a decision based solely on automated processing including profiling.
(2) These rights can be exercised free of charge by sending a request to our email address: info@neyso.boutique, in which you clearly indicate which right you wish to exercise, together with an explanation, as well as how we can be contacted with you.
(3) "Neyso" Ltd. shall rule on your request within 14 days of its submission. If a longer period is objectively necessary - in order to collect all the requested data and this seriously complicates our activity, this period can be extended up to 30 days. With its decision, "Neyso" Ltd. can grant or deny access and/or the information requested by the applicant, motivating its response.
Art. 9 (1) In connection with the right under Art. 8, paragraph 1, item 1 above, any individual, a subject of personal data, has the right to receive information about the personal data controller, as well as about the processing of his personal data. This information includes:
- data identifying the administrator, as well as his contact details;
- the purposes and legal basis for the processing;
- the recipients or categories of recipients of the personal data, if any;
- the controller's intention to transfer the personal data to a third party (where applicable);
- the period of storage of personal data;
- the existence of automated decision-making, including profiling (if any);
- information about any rights that the subject has;
- the right to appeal to the supervisory authority.
(2) The information under paragraph 1 is not provided if the data subject already has it.
(3) Applications for access to information or for correction are submitted in person or by a person expressly authorised by you, through a notarised power of attorney. An application can also be submitted electronically, in accordance with the Law on Electronic Documents and Electronic Signatures.
(4) The reference shall be provided in one copy to the data subject free of charge. For additional copies requested by the data subject or in the case of excessive requests by the subject, especially due to their repetition, the Company may charge a reasonable fee equal to the administrative costs incurred.
(5) When providing a copy of personal data, the Company cannot disclose the following categories of data:
- personal data of third parties, unless they have expressed their express consent to this;
- data that constitutes a trade secret, intellectual property or confidential information;
- other information that is protected under applicable law.
(6) The reasonableness and excessiveness of a given request is assessed separately for each case by the Company.
(7) In case of refusal to grant access to personal data, the Company shall justify its refusal and inform the data subject of his right to file a complaint with the supervisory authority.
Art. 10 (1) In connection with the right under Art. 8, paragraph 1, item 2 above, the subject of personal data has the right of withdrawal. If you have given consent to the use of your data, you can withdraw it at any time with effect in the future without having to give reasons.
Art. 11 (1) Data subjects may request that their personal data processed by the Company be corrected in the event that the latter are inaccurate or incomplete.
(2) Upon a satisfied request for correction of personal data, the Company shall notify the recipients of data to whom such data were disclosed.
(3) The right under paragraph 1 is exercised by submitting a request pursuant to Art. 9 of this privacy policy.
Art. 12 (1) Every individual, subject of personal data, has the right to request deletion of his data, the so-called "right to be forgotten" if one of the following conditions is met:
- the individual's personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- the data subject withdraws his consent on which the data processing is based and there is no other legal basis for the processing;
- the data subject objects to the processing and there are no overriding legal grounds for the processing;
- the personal data were processed unlawfully;
- the personal data must be deleted in order to comply with a legal obligation under EU law or the law of a Member State that applies to the controller;
- the personal data were collected in connection with the provision of information society services to children and the consent was given by the holder of parental responsibility for the children.
(2) The right under Paragraph 1 is exercised by making a request in accordance with Art. 9 of this privacy policy.
Art. 13 (1) Every individual, a subject of personal data, has the right to limit the processing of his personal data by the controller, but for this purpose specific conditions are necessary, including:
- the accuracy of the personal data is contested by the data subject;
- the processing is unlawful, but the data subject does not wish the personal data to be deleted, but instead requests the restriction of its use;
- the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims;
- the data subject has objected to the processing pending verification of whether the legitimate grounds of the controller prevail over the interests of the data subject.
(2) In the cases under paragraph 1, item 1, the restriction of processing is for a period that allows the controller to check the accuracy of the personal data.
(3) The right under paragraph 1 is exercised by making a request in accordance with Art. 9 of this privacy policy.
Art. 14 (1) Every individual who is a subject of personal data has the right to receive the personal data concerning him and which he has provided to a controller in a structured, widely used and machine-readable format and has the right to transfer or request the transfer of such data to another administrator without hindrance from the administrator to whom the personal data have been provided, when the processing is based on consent or a contractual obligation and the processing is carried out in an automated manner.
(2) The rights under paragraph 1 are exercised by making a request in accordance with Art. 9 of this privacy policy.
Art. 15 (1) The data subject has the right to object to the processing of his personal data by the Company, if the data is processed on one of the following grounds:
- the processing is necessary for the performance of a task of public interest or in the exercise of official powers that have been granted to the controller;
- the processing is necessary for purposes related to the legitimate interests of the Company or a third party;
- data processing includes profiling.
(2) The controller shall terminate the processing of personal data, unless he proves that there are convincing legal grounds for its continuation, which take precedence over the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
Art. 16 (1) Every individual, a subject of personal data, has the right to be notified, and the Company is obliged to notify the subject, in the event of a breach of the security of his personal data and when there is a possibility that this breach will create a high risk for the rights and the freedoms of the data subject.
(2) The notification under paragraph 1 should be carried out without undue delay after its discovery and contain a description of the nature of the personal data security breach, indicating the nature of the breach, the name and contact details of the data protection officer, if applicable, the consequences of the breach and the measures taken measures by the Company to deal with the violation and to reduce the possible adverse consequences.
Art. 17 In the event of a violation of your rights or applicable data protection legislation, you have the right to file a complaint with the Commission for the Protection of Personal Data or the relevant Data Protection Authority in your country. You can get more information on the CPLD website: www.cpdp.bg.
Third parties to whom we provide your personal data:
Art. 18 Neyso Ltd. may disclose personal data to third party vendors and hosting partners who perform services for NEYSO.
- Courier companies and post services, effecting the delivery of confirmed orders through the Website and payments made thereto;
- Payment services suppliers for the purposes of effecting a payment or reimbursement of amounts upon exercising a right of cancellation of a product purchase, as well as for accounting purposes in accordance with the legal requirements;
- Consultants in various fields for the purposes of protection of our legitimate interests in the maintenance and improvement of service quality, compliance with statutory requirements, protection of legal rights and interests in court and administrative proceedings; financial and accountancy reporting;
- State bodies and authorities in relation to checks performed by them in accordance with statutory requirements and limitations;
- Providers of online based technical solutions ensuring the proper functioning and maintenance of the Website.
How do we store and protect Personal Data?
Art. 19 Safeguarding Personal Data is of the utmost importance to Neyso Ltd. We therefore continuously strive to apply the necessary technical and organizational measures with to protect Personal Data. Information is stored within the EU, Bulgaria.
Neyso Ltd. reserves the right to modify this privacy policy. The most recent revision shall supersede any earlier versions. The current version of the privacy notice will be available at NEYSO’s website or at request at all times. We advise that you check the privacy policy from time to time, to keep up to date with the current notice. We will notify you of any changes to the privacy policy that you are entitled to receive information about or which requires your consent.
The Website may contain referrals to websites of third parties, including payment providers. Neyso Ltd. not be liable for the protection of your personal data processed by these third parties. Please acquaint yourself with the policies uploaded on these websites in connection to the protection of your personal data and the grounds for processing your personal data applied by them.
Version as of May 1, 2023
Cookies
Cookies are small text files that are generated upon request from your browser to a web server and stored on your device. Their purpose is usually to be able to identify your device and its behaviour when visiting our site.
Types of cookies:
- Session cookies are temporarily stored on your computer when you visit our Site, but are deleted the moment you close the page.
- Persistent cookies are stored as a file on your computer or mobile device for a longer period of time.
- System-necessary cookies: These are cookies without which the functioning of the site is impossible or is placed at high risk. This includes cookies for navigating the website, saving the filled-in information when moving between the different steps. Cookies are also systemically necessary, providing control over connection security and protection from unwanted external interference. These types of cookies are often referred to as temporary or session cookies, as they are stored temporarily and disappear after the browser session is closed.
- Functionality cookies: This category of cookies serves to facilitate the user's use of the website and comply with the user's individual preferences. Functionality cookies include device recognition cookies, saving language and font size preferences, and more. This type of cookies can be stored for a longer time on the device, they can be used in more than one browser session and are called persistent.
- Advertising cookies - These cookies use information about how you use our sites - the pages you visit or how you respond to advertisements - to provide you with advertisements that are tailored to your preferences - both on and off our site him.
- Third-party cookies, for performance, analytics and advertising Analytics cookies are used to collect statistical information