Privacy policy

Privacy policy

Privacy policy

Information about the personal data controller:

Harmony Group Ltd. Is a company registered under the Commercial Law of the Republic of Bulgaria with UIC 204493998, with an address: 105 Tsar Simeon Veliki Blvd., 5th floor, office 3, Stara Zagora, Stara Zagora Municipality Stara Zagora District, 6000

E-mail address:

Telephone number: +359 896 001 1701

Contacts of personal data protection official:

Company: “Harmony Group” Ltd.

Address: 105 Tsar Simeon Veliki Blvd., 5th floor, office 3, Stara Zagora, Stara Zagora Municipality Stara Zagora District, 6000, Bulgaria

E-mail address:

Personal data protection official:

Stela Bobcheva

Reasons and purposes for which we use your data

We process your data on the following grounds:

The contract concluded between us and you to fulfil our obligations under it;

Explicit consent from you – the purpose is indicated for each specific case;

In case of an obligation under the law;

In the following paragraphs you will find detailed information about the processing of your data depending on the reason on which we process them.


We process your data to fulfil the contractual and pre-contractual obligations and to enjoy the rights under the contracts concluded with you.

Purposes of processing:

establishing your identity;

management and execution of your request and execution of a concluded contract;

preparation of a proposal for concluding a contract;

preparing and sending an invoice for the services you use with us;

to provide you with the necessary comprehensive service, as well as to collect the amounts due for the services used;

keeping correspondence in connection with an order, processing requests, reporting problems, etc.

notification of everything related to the services you use with us;

customer history analysis;

identify and / or prevent illegal actions or actions contrary to our terms of service;

Data we process on this basis:

Based on the contract concluded between us and you, we process information about the type and content of the contractual relationship, as well as any other information related to the contractual relationship, including:

personal contact details – contact address, email, phone number;

identification data – the three names, unique civil number or personal number of a foreigner, gender, age group, permanent address;

data on the orders placed;

correspondence in connection with the overall service – e-mail, letters, information about your requests for troubleshooting, complaints, requests, complaints, feedback that we receive from you;

credit or debit card information, bank account number or other banking and payment information in connection with the payments made;

other information such as:

Customer number, code or other identifier created for identification;

IP address when visiting our website;


Profile data on social networks

Information from your actions on the site

The processing of the specified personal data is mandatory for us so that we can conclude the contract with you and fulfil it. Without providing us with the above data, we would not be able to fulfil our obligations under the contract.

We provide personal data to third parties

We provide your data to third parties, and our main goal is to offer you quality, fast and comprehensive service. We do not provide your data to third parties until we have made sure that all technical and organizational measures have been taken to protect this data and we strive to exercise strict control over the implementation of this purpose. In this case, we remain responsible for the confidentiality and security of your data.

We provide personal data to the following categories of recipients (personal data controllers):

postal operators and courier companies;

persons who on assignment maintain equipment, software and hardware used for personal data processing and necessary for the company’s activity

persons providing consulting services in various fields.

When we delete data collected on this basis

We delete the data collected on this basis 5 years after the termination of the contractual relationship, regardless of whether due to the expiration of the contract, cancellation or other grounds. The term is determined by the 5-year limitation period for possible claims under the contract.


The law may provide for an obligation for us to process your data. In these cases, we are obliged to perform the processing, such as:

Obligations under the Anti-Money Laundering Measures Act;

Fulfilment of obligations in connection with distance selling, off-site sales, provided for in the Consumer Protection Act;

Providing information to the Consumer Protection Commission or third parties provided for in the Consumer Protection Act;

Providing information to the Commission for Personal Data Protection in connection with obligations provided for in the legislation for personal data protection;

Obligations provided for in the Accounting Act and the Tax and Social Security Procedure Code and other related normative acts, in connection with the keeping of lawful accounting;

Providing information to the court and third parties, in the framework of proceedings before a court, by the requirements of the regulations applicable to the proceedings;

Age verification when shopping online.

When we delete personal data collected on this basis

The data collected by an obligation provided by law are deleted after the obligation for collection and storage is fulfilled or ceases to exist. For example:

under the Accounting Act for storage and processing of accounting data (11 years),

obligations to provide information to the court, competent state authorities, etc. grounds provided for in the current legislation (5 years).

Providing data to third parties

When there is an obligation for us by law, it is possible to provide your data to the competent state authority, natural or legal person.


We process your data on this basis only after your explicit, unambiguous and voluntary consent. We will not foresee any adverse consequences for you if you refuse to process personal data.

Consent is a separate basis for the processing of your data and the purpose of the processing is stated in it, and is not covered by the purposes listed in this policy. If you give us the relevant

consent and until its withdrawal or termination of any contractual relationship with you, we prepare suitable proposals for products / services, performing detailed analyses of your basic personal data;

Detailed analysis is a method of performing analysis that allows the processing of large volumes of data using statistical models and algorithms and others, which include the use of personal data, as well as processes of pseudonymization and anonymization of the same, to extract information about trends and various statistical indicators.

Data we process on this basis:

On this basis, we only process data for which you have given us your express consent. The specific data are determined for each case. Usually this data is names, email, phone, gender, age, website, phone applications.

Providing data to third parties

On this basis, we may provide your data to Facebook, Google, Mailchimp, Podio, Sendinblue, Viber, Watsapp, Messenger, SMS marketing platforms.

Withdrawal of consent

Concessions granted may be withdrawn at any time. Withdrawal of consent does not affect the performance of contractual obligations. If you withdraw your consent to the processing of data in any or all of the ways described above, we will not use your personal data and information for the purposes set out above. Withdrawal of consent shall not affect the lawfulness of the

processing based on a consent before its withdrawal.

To withdraw your consent, you only need to use our site or just our contact information.

When we delete data collected on this basis

We delete the data collected on this basis at your request or 12 months after their initial collection.


We process your data for static purposes, ie for analyses in which the results are only summary and therefore the data is anonymous. It is not possible to identify a specific person from this information.

Your data can also be anonymized. Anonymization is an alternative to deleting data. Upon anonymization, all personally identifiable items / items that allow you to identify yourself are irrevocably deleted. There are no statutory data for anonymized data, as they do not constitute personal data.

Why and how we use automated algorithms

For the processing of your data, we use partially automated algorithms and methods to continuously improve our products and services to adapt our products and services to your needs

in the best possible way. This process is called profiling.

How we protect your data

To ensure adequate data protection of the company and its customers, we apply all necessary organizational and technical measures provided for in the Personal Data Protection Act.

The Company has established rules to prevent abuse and security breaches and has appointed a Data Protection Officer to assist in the processes of protecting and securing your data.

For maximum security in the processing, transmission and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymization and more.

Personal data we have received from third parties

We receive personal data from the following third parties: social media, advertising and marketing service providers, Google.

Consumer Rights

Each User of the site enjoys all rights to personal data protection under Bulgarian law and European Union law.

The user can exercise their rights through the contact form or by sending a message to our email.

Each User has the right to:

Awareness (in connection with the processing of his data by the administrator);

Access to your own data;

Correction (if data is inaccurate);

Deletion of personal data (right to be “forgotten”);

Restriction of processing by the controller or processor of personal data;

Portability of personal data between individual administrators;

Objection to the processing of his data;

The data subject shall also be entitled not to be the subject of a decision based solely on automated processing, including profiling, which has legal consequences for the data subject or similarly affects him to a significant degree;

Right to protection by judicial or administrative order, in case the data subject’s rights have been violated.

The user may request deletion if one of the following conditions is true:

Personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

The user withdraws his consent on which the data processing is based and there is no other legal basis for the processing;’

The user objects to the processing and there are no legal grounds for the processing to take precedence;

Personal data has been processed illegally;

Personal data must be deleted to comply with a legal obligation under Union law or the law of a Member State applicable to the controller;

Personal data have been collected in connection with the provision of information society services to children and the consent has been given by the parent responsible for the child.

The user has the right to restrict the processing of his data by the administrator when:

Challenge the accuracy of personal data. In this case, the restriction of processing is for a period that allows the controller to verify the accuracy of personal data;

The processing is illegal, but the User does not want the personal data to be deleted, but instead requires restricting their use;

The Administrator no longer needs the personal data for processing, but the User requires them for the establishment, exercise or protection of legal claims;

Objects to the processing pending verification of whether the legal grounds of the administrator take precedence over the interests of the User.

ight of portability.

The data subject has the right to receive the personal data concerning him and which he has provided to the controller, in a structured, widely used and machine-readable format and has the right to transfer this data to another controller without hindrance from the controller. data are provided when the processing is based on consent or a contractual obligation and the processing is carried out in an automated manner. When exercising its right to data portability, the data subject shall also have the right to receive a direct transfer of personal data from one controller to another, where this is technically feasible.

Right to object.

Users have the right to object to the controller against the processing of their data. The controller of personal data shall be obliged to terminate the processing, unless he proves that there are convincing legal grounds for the processing, which take precedence over the interests, rights and freedoms of the data subject, or for the establishment, exercise or protection of legal claims. In the event of an objection to the processing of data for direct marketing, the processing should be stopped immediately.

Complaint to the supervisory authority

Each User has the right to file a complaint against illegal processing of his data to the Commission for Personal Data Protection or the competent court.

Maintaining a register

We maintain a register of the processing activities for which we are responsible. This register contains all the following information:

The name and contact details of the administrator

Processing purposes;

Description of the categories of data subjects and the categories of personal data;

The categories of recipients to whom personal data are or will be disclosed,

Including recipients in third countries or international organizations;

Where possible, the time limits for deleting the various categories of data;

Where possible, a general description of the technical and organizational security measures