1. DEFINITIONS

1.1. Administrator – Tsilkov Ltd., Sredna Gora 33A, Karlovo, Bulgaria.

1.2. Personal data – all information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, online identifier and information collected via through cookies and other similar technology.

1.3. Policy – this Privacy Policy.

1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.5. Website – website run by the Administrator at www.tsilkov.com.

1.6. User – any natural person visiting the Website or using one or more services or functionalities described in the Policy.

2. DATA PROCESSING IN CONNECTION WITH USING THE WEBSITE

2.1. In connection with the User’s use of the Website, the Administrator collects data to the extent necessary to provide individual services offered, as well as information about the User’s activity on the Website. The detailed rules and purposes of processing personal data collected when using the Website by the User are described below.

3. OBJECTIVES AND LEGAL BASIS FOR DATA PROCESSING ON THE WEBSITE

USE OF THE WWW.TSILKOV.COM WEBSITE

3.1. Personal data of all persons using the Website (including IP address or other identifiers and information collected via cookies or other similar technologies) who are not registered Users (i.e. people who do not have a profile on the Website) are processed by the Administrator:

3.1.1. in order to provide services electronically in the scope of making content collected on the Website available to Users, booking products as part of the product reservation service on the Website, sharing offers of other sellers as part of the Marketplace service, providing contact forms – then the legal basis for processing is the necessity of processing to perform the contract (Article 6(1)(b) GDPR);

3.1.2. in order to handle purchases made without registration on the Website – then the legal basis for processing is the necessity of processing to perform the contract (Article 6(1)(b) of the GDPR);

3.1.3. in order to handle complaints – then the legal basis for processing is the necessity of processing to perform the contract (Article 6(1)(b) of the GDPR);

3.1.4. for analytical and statistical purposes – then the legal basis for processing is the Administrator’s legitimate interest (Article 6(1)(f) of the GDPR) consisting in conducting analyzes of Users’ activity, as well as their preferences in order to improve the functionalities and services provided;

3.1.5. in order to possibly determine and pursue claims or defend against them – the legal basis for processing is the Administrator’s legitimate interest (Article 6(1)(f) of the GDPR) consisting in the protection of his rights;

3.1.6. for marketing purposes of the Administrator and other entities, in particular related to the presentation of behavioral advertising – the principles of processing personal data for marketing purposes are described in the “MARKETING” section.

The User’s activity on the Website, including his personal data, is recorded in system logs (a special computer program used to store a chronological record containing information about events and activities regarding the IT system used to provide services by the Administrator). Information collected in logs processed in connection with the provision of services. The administrator also processes them for technical purposes, in particular, data may be temporarily stored and processed to ensure the security and proper functioning of IT systems, e.g. in connection with making backup copies, testing changes in IT systems, detecting irregularities or protecting against abuse and attacks .

REGISTRATION ON THE WEBSITE WWW.TSILKOV.COM

3.2. Persons who register on the Website are asked to provide the data necessary to create and maintain an account. In order to facilitate the service, the User may provide additional data, thus agreeing to their processing. Such data can be deleted at any time. Providing data marked as mandatory is required in order to set up and operate an account, and failure to provide them results in the inability to set up an account. Providing other data is voluntary.

3.3. Personal data is processed:

3.3.1. in order to provide services related to maintaining and servicing an account on the Website – the legal basis for processing is the necessity of processing to perform the contract (Article 6(1)(b) of the GDPR), and in the scope of data provided optionally – the legal basis for processing is consent (Article 6 section 1 letter a of the GDPR);

3.3.2. for analytical and statistical purposes – the legal basis for processing is the Administrator’s legitimate interest (Article 6(1)(f) of the GDPR) consisting in conducting analyzes of Users’ activity on the Website and how to use the account, as well as their preferences in order to improve the functionalities used;

3.3.3. in order to possibly establish and pursue claims or defend against them – the legal basis for processing is the Administrator’s legitimate interest (Article 6(1)(f) of the GDPR) consisting in the protection of his rights.

3.3.4. for marketing purposes of the Administrator and other entities, in particular sellers using the Marketplace service – the rules for processing personal data for marketing purposes are described in the “MARKETING” section.

3.4. If the User places on the Website any personal data of other people (including their name, address, telephone number or e-mail address), they may do so only on the condition that the applicable law and personal rights of these people are not violated.

PLACING ORDERS

3.5. Placing an order (purchase of goods or services) by the Website User involves the processing of his personal data. Providing data marked as mandatory is required in order to accept and service the order, and failure to provide them results in the lack of its implementation. Providing other data is optional. Placing an order by the User as part of the Marketplace service causes that the User’s personal data necessary to complete the order will be made available to the seller in order to perform the contract.

3.6. Personal data is processed:

3.6.1. in order to perform the order placed – the legal basis for processing is the necessity of processing to perform the contract (Article 6(1)(b) of the GDPR); in the scope of data provided optionally, the legal basis for processing is consent (Article 6(1)(a) of the GDPR);

3.6.2. in order to fulfill the statutory obligations incumbent on the Administrator, resulting in particular from tax and accounting regulations – the legal basis for processing is the legal obligation (Article 6(1)(c) of the GDPR);

3.6.3. for analytical and statistical purposes – the legal basis for processing is the Administrator’s legitimate interest (Article 6(1)(f) of the GDPR) consisting in conducting analyzes of Users’ activity on the Website, as well as their shopping preferences in order to improve the functionalities used;

3.6.4. in order to possibly establish and pursue claims or defend against them – the legal basis for processing is the Administrator’s legitimate interest (Article 6(1)(f) of the GDPR) consisting in the protection of his rights.

CONTACT FORMS

3.7. The administrator provides the possibility of contacting him using electronic contact forms. Using the form requires providing personal data necessary to contact the User and answer the inquiry. The user may also provide other data to facilitate contact or handling the inquiry. Providing data marked as mandatory is required in order to accept and handle the inquiry, and failure to provide them results in the inability to service. Providing other data is voluntary.

3.8. Personal data is processed:

3.8.1. in order to identify the sender and handle his inquiry sent via the provided form – the legal basis for processing is the necessity of processing to perform the contract for the provision of the service (Article 6(1)(b) of the GDPR);

3.8.2. for analytical and statistical purposes – the legal basis for processing is the Administrator’s legitimate interest (Article 6(1)(f) of the GDPR) consisting in keeping statistics of inquiries submitted by Users via the Website in order to improve its functionality.

4. MARKETING

4.1. The Administrator processes Users’ personal data in order to carry out marketing activities, which may consist of:

4.1.1. displaying marketing content to the User that is not adapted to his preferences (contextual advertising);

4.1.2. displaying marketing content to the User that corresponds to his interests (behavioral advertising);

4.1.3. sending e-mail notifications about interesting offers or content, which in some cases contain commercial information;

4.1.4. conducting other types of activities related to direct marketing of goods and services (sending commercial information by electronic means and telemarketing activities).

4.2. In order to carry out marketing activities, the Administrator uses profiling in some cases. This means that thanks to automatic data processing, the Administrator assesses selected factors concerning natural persons in order to analyze their behavior or create a forecast for the future.

CONTEXTUAL ADVERTISING

4.3. The Administrator processes Users’ personal data for marketing purposes in connection with targeting Users with contextual advertising (i.e. advertising that does not match the User’s preferences). The processing of personal data then takes place in connection with the implementation of the Administrator’s legitimate interest (Article 6(1)(f) of the GDPR).

BEHAVIORAL ADVERTISING

4.4. The Administrator processes Users’ personal data, including personal data collected via cookies and other similar technologies, for marketing purposes in connection with targeting Users with behavioral advertising (i.e. advertising that is tailored to the User’s preferences). The processing of personal data then also includes the profiling of Users. The use of personal data collected through this technology for marketing purposes, in particular in the field of promoting services and goods of third parties, is based on the legitimate interest of the administrator and only on the condition that the User has consented to the use of cookies. Consent to the use of cookies can be expressed through the appropriate configuration of the browser, and can also be withdrawn at any time,

4.5. This consent may be withdrawn at any time.

DIRECT MARKETING

4.6. If the User has agreed to receive marketing information via e-mail, SMS and other means of electronic communication, the User’s personal data will be processed for the purpose of sending such information. The basis for data processing is the legitimate interest of Tsilkov Ltd., consisting in sending marketing information within the limits of the consent given by the User (direct marketing). The user has the right to object to the processing of data for the purposes of direct marketing, including profiling. The data will be stored for this purpose for the duration of the legitimate interest of Tsilkov Ltd., unless the User objects to receiving marketing information.

5. SOCIAL SITES

5.1. The Administrator processes the personal data of Users visiting the Administrator’s profiles in social media (Facebook, YouTube, Instagram, Twitter, Google +, Pinterest). These data are processed only in connection with maintaining a profile, including to inform Users about the Administrator’s activity and to promote various types of events, services and products, as well as to communicate with users via functionalities available in social media. The legal basis for the processing of personal data by the Administrator for this purpose is its legitimate interest (Article 6(1)(f) of the GDPR) consisting in promoting its own brand and building and maintaining a community associated with the brand.

6. MOBILE APPLICATIONS

6.1. The Administrator processes Users’ personal data also in order to enable the use of services offered as part of the Website, as well as additional services via mobile applications. Users’ data is processed in order to register and use mobile applications. The legal basis for data processing in this respect is the necessity to perform the contract (Article 6(1)(b) of the GDPR).

6.2. Using mobile applications, the User may in particular: browse the Website’s assortment, access their account on the Website, place orders and make payments for them, read the information provided in the mobile application and use other functionalities available in the mobile application. The Administrator informs that due to technical limitations, the mobile application does not provide the possibility of using all the functionalities of the Website that are available through the Website.

7. COOKIES AND SIMILAR TECHNOLOGY

7.1. Cookies are small text files installed on the device of the User browsing the Website. Cookies collect information facilitating the use of the website – e.g. by remembering the User’s visits to the Website and activities performed by him.

“SERVICE” COOKIES

7.2. The administrator uses the so-called service cookies primarily to provide the User with services provided electronically and to improve the quality of these services. Therefore, the Administrator and other entities providing analytical and statistical services to him use cookies, storing information or accessing information already stored in the User’s telecommunications end device (computer, telephone, tablet, etc.). Cookies used for this purpose include:

7.2.1. cookies with data entered by the User (session ID) for the duration of the session (userinputcookies);

7.2.2. authentication cookies used for services requiring authentication for the duration of the session (authentication cookies);

7.2.3. cookies used to ensure security, e.g. used to detect abuses in the field of authentication (usercentricsecuritycookies);

7.2.4. session cookies of multimedia players (e.g. flash player cookies), for the duration of the session (multimedia playersessioncookies);

7.2.5. persistent cookies used to personalize the User interface for the duration of the session or slightly longer (userinterfacecustomizationcookies),

7.2.6. cookies used to remember the contents of the basket for the duration of the session (shopping cartcookies);

7.2.7. cookies used to monitor traffic on the website, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyze how the User uses the Website, to create statistics and reports on the functioning of the Website). Google does not use the collected data to identify the User, nor does it combine this information to enable identification. Detailed information on the scope and rules of data collection in connection with this service can be found at the following link:https://www.google.com/intl/pl/policies/privacy/partners.

“MARKETING” COOKIES

7.3. The administrator also uses cookies for marketing purposes, including in connection with targeting Users with behavioral advertising. For this purpose, the Administrator stores information or accesses information already stored in the User’s telecommunications end device (computer, telephone, tablet, etc.). The use of cookies and personal data collected through them for marketing purposes, in particular in the field of promoting services and goods of third parties, requires the consent of the User. This consent can be expressed through the appropriate configuration of the browser, and can also be withdrawn at any time, in particular by clearing the cookie history and disabling cookies in the browser settings.

8. PERSONAL DATA PROCESSING PERIOD

8.1. The period of data processing by the Administrator depends on the type of service provided and the purpose of processing. As a rule, data is processed for the duration of the service or order execution, until the consent is withdrawn or an effective objection to data processing is made in cases where the legal basis for data processing is the Administrator’s legitimate interest.

8.2. The period of data processing may be extended if the processing is necessary to establish and pursue any claims or defend against them, and after that time only if and to the extent required by law. After the processing period has expired, the data is irreversibly deleted or anonymized.

9. USER RIGHTS

9.1. Data subjects have the following rights:

9.1.1. The right to information about the processing of personal data – on this basis, the person submitting such a request, the Administrator provides information about the processing of personal data, including, in particular, about the purposes and legal grounds for processing, the scope of data held, entities to which personal data are disclosed and the planned date of their removal ;

9.1.2. The right to obtain a copy of the data – on this basis, the Administrator provides a copy of the processed data regarding the person submitting the request;

9.1.3. The right to rectify – on this basis, the Administrator removes any inconsistencies or errors regarding the processed personal data, and supplements or updates them if they are incomplete or have changed;

9.1.4. The right to delete data – on this basis, you can request the deletion of data, the processing of which is no longer necessary to achieve any of the purposes for which they were collected;

9.1.5. The right to limit processing – on this basis, the Administrator ceases to perform operations on personal data, with the exception of operations to which the data subject has consented and their storage, in accordance with the adopted retention rules, or until the reasons for limiting data processing cease to exist (e.g. a decision of the supervisory authority will be issued, allowing for further data processing);

9.1.6. The right to transfer data – on this basis, to the extent that data is processed in connection with the concluded contract or consent, the Administrator issues data provided by the person to whom they relate, in a format that allows them to be read by a computer. It is also possible to request that these data be sent to another entity – provided, however, that there are technical possibilities in this respect both on the part of the Administrator and that other entity;

9.1.7. The right to object to the processing of data for marketing purposes – the data subject may object to the processing of personal data for marketing purposes at any time, without the need to justify such an objection;

9.1.8. The right to object to other purposes of data processing – the data subject may at any time object to the processing of personal data on the basis of the Administrator’s legitimate interest (e.g. for analytical or statistical purposes or for reasons related to the protection of property). The objection in this regard should contain a justification and is subject to the Administrator’s assessment;

9.1.9. The right to withdraw consent – if the data is processed on the basis of consent, the data subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing carried out before the consent is withdrawn;

9.1.10 Right to complain – if it is found that the processing of personal data violates the provisions of the GDPR or other provisions regarding the protection of personal data, the data subject may submit a complaint to the President of the Office for Personal Data Protection.

9.2. An application regarding the exercise of the rights of data subjects can be submitted:

9.2.1. in writing to the following address: Tsilkov Ltd., Sredna Gora 33A, Karlovo, 4300, Bulgaria.

9.2.2. by e-mail to the following address: office@tsilkov.com.

9.3. The application should, if possible, precisely indicate what the request concerns, i.e. in particular:

9.3.1. what right the person submitting the application wants to exercise (e.g. the right to receive a copy of the data, the right to delete data, etc.);

9.3.2. what processing process the request concerns (e.g. using a specific service, activity on a specific website, receiving a newsletter containing commercial information to a specific email address, etc.);

9.3.3. what processing purposes the request concerns (e.g. marketing purposes, analytical purposes, etc.).

9.4. If the Administrator is unable to determine the content of the request or identify the person submitting the request based on the submitted application, he will ask the applicant for additional information.

9.5. A response to applications will be provided within one month of receipt. If it is necessary to extend this period, the Administrator will inform the applicant about the reasons for such extension.

9.6. The answer will be provided to the e-mail address from which the application was sent, and in the case of applications sent by letter, by regular mail to the address indicated by the applicant, unless the content of the letter indicates the desire to receive feedback to the e-mail address (in this case, please provide e-mail adress).

10. DATA RECIPIENTS

10.1. In connection with the provision of services, personal data will be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems, entities such as banks and payment operators, entities providing accounting, legal, auditing, consulting services, couriers (in connection with the execution of the order) , marketing agencies (in the field of marketing services) and entities related to the Administrator, including companies from its capital group and business partners. In the case of a purchase made from an entity other than the Administrator, on the Marketplace platform, the User’s data will be disclosed to the seller in order to conclude and perform the sales contract;

10.2. If the User’s consent is obtained, his data may also be made available to other entities for their own purposes, including marketing purposes.

10.3. The Administrator reserves the right to disclose selected information about the User to competent authorities or third parties who submit a request for such information, based on the appropriate legal basis and in accordance with the provisions of applicable law.

11. TRANSFER OF DATA OUTSIDE THE EEA

11.1. The level of protection of personal data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Administrator transfers personal data outside the EEA only when it is necessary and with an appropriate level of protection, primarily through:

11.1.1. cooperation with entities processing personal data in countries for which an appropriate decision of the European Commission has been issued;

11.1.2. the use of standard contractual clauses issued by the European Commission;

11.1.3. application of binding corporate rules approved by the competent supervisory authority;

11.1.4. in the event of data transfer to the USA – cooperation with entities participating in the Privacy Shield program, approved by the decision of the European Commission.

11.2. The administrator always informs about the intention to transfer personal data outside the EEA at the stage of their collection.

12. SECURITY OF PERSONAL DATA

12.1. The administrator conducts risk analysis on an ongoing basis to ensure that personal data is processed by him in a secure manner – ensuring, above all, that only authorized persons have access to the data and only to the extent that it is necessary due to the tasks they perform . The administrator makes sure that all operations on personal data are registered and performed only by authorized employees and associates.

12.2. The Administrator takes all necessary actions to ensure that its subcontractors and other cooperating entities also guarantee the application of appropriate security measures whenever they process personal data at the request of the Administrator.

13. CONTACT DETAILS

13.1. Contact with the Administrator is possible via the e-mail address or correspondence address of Tsilkov Ltd., Sredna Gora 33A, Karlovo, 4300, Bulgaria.

14. CHANGE OF PRIVACY POLICY

14.1. The policy is verified on an ongoing basis and updated if necessary.