This document contains the Personal Data Security Policy for Individuals (“Policy”) and is linked to, but not an integral part of, the General Terms and Conditions as it does not regulate rights and obligations, but is intended to explain to users what personal data we process, in what way, for what purpose, and what security measures apply. It also provides information about the rights that you, our customers and users, have in relation to the processing of personal data by Estelani Ltd (www.estelswimwear.com). If the Policy changes, the changes will be published, here.
Effective from: 08.02.2024.
Your privacy is extremely important to us. This security policy, provides information about – what personal data we collect from you through our joint relationship and how we use that data.
DATA CONTROLLER
“Estelani” Ltd, UIC 207599298, registered office and registered address. Burgas, address for correspondence. Burgas, e-mail: [email protected] (hereinafter abbreviated as “Estel Swimwear”, “We”, “Online Shop”, “Site”, “Website”, “Administrator”) is the data controller, including personal data, with respect to information collected or provided when browsing the www.estelswimwear.com website or making a purchase through it, as well as when browsing or purchasing a product or service through our Facebook page (collectively abbreviated as “Site”, “Website”). The Policy also applies where you, as individuals, (for short “Subjects”) voluntarily provide us with personal data electronically (via email), by telephone or by other means, including on-site at our retail outlet or office. “ESTELANI Ltd also processes personal data from enquiries made by you to us and for marketing and advertising purposes, profiling, participation in games, promotions and raffles organised by us and for any other purposes not prohibited by law. In processing personal data, EstelSwimWear complies with all data protection legislation applicable to its activities, including but not limited to Regulation (EU) 2016/679 (“Regulation”) and the Data Protection Act, because the security of our customers’ personal data is of paramount importance to us. Therefore, this Policy shall also apply in this case.
APPLICABILITY OF THE POLICY
This Policy applies to all of our customers – individuals using our services by ordering from the Site or expressing interest in the same by submitting inquiries (hereinafter referred to as “data subjects”, “users”).
Partners and third parties who work with or for Estel Swimwear, and who have or may have access to personal data, will be expected to read, understand and comply with this policy. No third party may have access to personal data held by Estel Swimwear without the company having first entered into a data confidentiality agreement which imposes on the third party obligations no less onerous than those which Estel Swimwear has undertaken and which entitles Estel Swimwear to carry out checks on compliance with the obligations imposed by the agreement.
This policy applies to all EstelSwimwear employees/workers (and stakeholders) as well as to external suppliers of products and services with whom EstelSwimwear has contracted. Any violation of the General Regulation will be treated as a breach of labour discipline and/or as a breach of contracts with partners, and in the event that there is an allegation that a criminal offence has been committed, the matter will be referred as soon as possible to the relevant government authorities for consideration.
For visitors to the Site who do not place orders or send enquiries, but merely browse our website, the Cookie Policy adopted and published on the Site shall apply.
DEFINITIONS
“Regulation” – the General Data Protection Regulation 2016/679 of 27 April 2016, referred to as the GDPR. The purpose of this piece of European legislation, is to protect the “rights and freedoms” of individuals and to ensure that personal data is not processed without their knowledge and where possible, that it is processed with their consent.
‘Personal data’ means any information relating to an identified natural person or an identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Special categories of personal data” – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.
‘Processing’ means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘controller’: any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or Member State law, the controller or the specific criteria for its determination may be laid down in Union or Member State law;’Data Subject’ – any living natural person who is the subject of personal data held by the Data Controller.’Consent of the data subject’ – any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by means of a statement or a clear affirmative action, which signifies his or her agreement to personal data relating to him or her being processed;
‘profiling’ – any form of automated processing of personal data consisting in the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects relating to the performance of that individual’s professional duties, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;”personal data breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data which is transmitted, stored or otherwise processed;”Recipient” – the natural or legal person, public authority, agency or other body to whom the personal data is disclosed, whether or not a third party.At the same time, public authorities which may receive personal data in the framework of a specific investigation, in accordance with Union or Member State law, shall not be considered as ‘recipients’; the processing of such data by those public authorities shall comply with the applicable data protection rules, according to the purposes of the processing.
‘Third party’ means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or the processor, are entitled to process the personal data.
PRINCIPLES
When collecting and processing personal data, we are guided by the following principles: lawfulness, fairness, transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability.
SUBJECTS WHOSE DATA WE PROCESS

In connection with its activities ”ESTELANI” Ltd. concludes and executes distance purchase contracts, examines job applications and proposals, forms for exercising the rights of users-buyers, as well as requests of data subjects, responds to inquiries, issues and receives invoices, processes statistical data, manages the user panel on the site, carries out advertising activities through advertising campaigns (promotions, games, etc.). In the course of these activities, Estel Swimwear processes information about the following Data Subjects:(a) individuals who use the site without registration, without leaving any data (in this case we process data but not personal data) and individuals who use the site without registration, who have provided a limited number of personal data voluntarily (example phone number and or e-mail address);(b) individuals using the site with a registration as a registered user – in these cases we process data about the user that the user has entered on registration – email address, delivery address, names, billing details, order details, other data entered by the user.(c) individuals who have made enquiries (including by calling), requests, initiatives, signals, complaints or other correspondence to us, including via the website, telephone, email or otherwise;(d) individuals about whom information is contained in enquiries (including by call), requests, initiatives, alerts, complaints or other correspondence made to us;(e) individuals with whom we enter into contracts (civil, including commercial or employment contracts, especially distance contracts) electronically (via the website or social networks, as well as via email correspondence) or on-site at our office or business premises;
(f) individuals whose data we have obtained by providing it to them from third parties (e.g. in the case of an order intended as a gift).PERSONAL DATA WE PROCESSDepending on the reason necessitating the processing of personal data, the type of personal data may differ. The functionalities provided on the Site are not intended for the storage and processing of special categories of data within the meaning of Articles 9 and 10 of the Regulation. (NB! Read Articles 9 and 10 – of the Regulation here). We only require such personal data that is necessary for us to provide the activity/service/product requested of us. In the course of the use of the website by individuals, we may also process other data that does not contain personal data but relates to the subject, such as his/her IP address, data on his/her activity on the website, and the like.
Data provided when placing an order
In order to execute a contract between you and ”Estellani” Ltd., we require certain information from you. It is up to you to decide whether and how to use the opportunities for concluding a distance sales contract provided through the Site, Facebook, Instagram pages. In the forms through which personal data is entered, we clearly indicate the mandatory or voluntary nature of the data provision. The data that are mandatory to fill in are those without which it is impossible to conclude the respective contract. These are: names, email address, delivery address, contact telephone number, your payment information (e.g. bank card), billing details if you wish to invoice an individual. If you provide data to third parties who will receive the order (e.g. in the case of orders for the purpose of a gift or other type of donation) you are responsible for providing the data to these third parties.
Data provided when registering on the Site
If you have chosen to store information about you on the Site by registering an account on the Site, we will store the above data as well as a history of orders placed by each account registered on the Site. The data required matches that required at checkout. Along with these, we also process IP address, activity data (time and date of registration, acceptance of the Security Policy and General Terms and Conditions, account login, etc.);
Data provided when entering into other contracts
In cases where ”Estellani” Ltd concludes other contracts with individuals other than distance selling, we require three names, address, e-mail address.
Data provided by, through and on other websites and applications, referred to as third parties
In case you provide your personal data to Estel Swimwear via Viber, Skype, Facebook or any other platform/social network, we inform you that these platforms/websites/social networks have their own privacy policies and that we do not accept any responsibility or liability for these policies insofar as the processing by them cannot be controlled by Estel Swimwear. In this regard, we recommend that you check this policy before sending us your personal data via these websites/apps.
Data provided when posting a comment, review, publication
If you leave a post or comment on this website, your IP address will be saved, along with your name if you have entered this information. This is for the safety of the website operator. If your text breaks the law, it would like to be able to trace your identity. Separately, Estel Swimwear has an obligation to retain this data (referred to as “traffic data”) for certain periods and for certain purposes set out below. Due to the fact that sending comments, inquiries and other messages to the website, Facebook page/group or their administrators, constitutes sending an electronic statement, under the Electronic Document and Electronic Certification Services Act, (“EDCSA”) the administrator has an obligation to maintain logs of the fact of sending the statement for a period of 1 year. The log shall contain the date of the statement, name and email address of the sender.Employee data and data collected when processing job applicationsWe process data when entering into employment contracts and when assessing and processing a job application. When concluding employment contracts, we require three names, address, age, gender, education data, work experience, bank details, and subsequently process health data.When processing CVs, we process name, address, email address, age, gender, education, work experience, photo, data voluntarily provided by the candidate during the interview or in the CV.
Data provided in correspondence, complaints and alerts
In order to resolve complaints, alerts, disputes, inquiries, requests or other matters made in communication to Estel Swimwear , received through electronic forms on the Site, through calls to Estel Swimwear, by sending regular or e-mail Estel Swimwear stores and processes this information, as well as the result of this processing. This may be name, email address, telephone number, address, IP address
In addition, due to the fact that sending comments, inquiries and other messages to the website, Facebook page or their administrators constitutes sending an electronic statement, under the Electronic Document and Electronic Authentication Services Act (“EDESA”) we have an obligation to maintain a log of the fact of sending the statement (without its content) for a period of 1 /one/ year. The log contains the date of the statement, the sender’s name and email address, and the sender’s identification.
If you provide us with personal information about someone else, you must do so only with that person’s authorization. You must inform them of how we collect, use, disclose, and store personal information, in accordance with this “Security Policy” for individuals’ personal information.
Technical data collected in the course of using the Site
In addition, we collect information from your computer, phone, tablet or other device that you use. This information may include the following:
The identifier of the device you are using, the type of that device, and a unique token for that device, including information that your browser automatically sends us when you visit a website; this log data includes – your Internet Protocol address, the address and activity of the websites you visit, searches, browser type and settings, the date and time of your request, how you used the Site, cookie data, and device data; if you would like more details about the information we collect – contact n
Location information transmitted by your device if you have set the same to display location data – note that mobile devices allow you to control or disable the use of location services from any app on your mobile device, in the device settings menu.
Computer and connection information such as – page views statistics, IP address, site browsing history, language settings, date and time.
Logs to make your searches easier – quick links to repeat previous searches allow you to repeat your searches instead of typing them in each time. The functionality can be used with or without registration. When you use the Site, a cookie with a randomly generated number is stored in your browser, enabling the Site to show you quick links to repeat previous searches. The Site stores and displays the last 10 searches associated with that browser. In the event that you use the Service with a registration (a currently inactive feature), the last 10 searches are stored in your account;
logs related to security, technical support, development, etc.:
To ensure the reliable functioning of services and identify technical problems;
To ensure the security of services and detect malicious activities;
To develop and improve the services on the site;
To measure site traffic and usability;
Logs where required by law (such as electronic will logs);
User log-in (account) log – this log enables unauthorised attempts to access accounts to be detected and automatically blocked. It is maintained for a period of up to 1 /one/ year, and contains the date and time of login, status, whether the login is via mobile version, application or desktop browser, IP address.
Server logs, security logs (Web Application Firewalls) and other devices falling under this category. These logs are necessary for detecting technical problems, detecting malicious activity, etc. of the above purposes.
They are stored for a period of up to 1 /one/ year. The logs may contain the following information: date and time, IP address, URL, browser and device information. In addition, some devices may use cookie-based security technology.
We do not require and will not collect or process personal data that reveals: racial or ethnic origin; political, religious or philosophical beliefs; trade union membership; genetic and biometric data; health data; or data about sex life or sexual orientation. If a subject provides such categories of data on his or her own initiative and at his or her request, ”Estelani” Ltd. shall not be held liable for the provision, but shall only be obliged to provide the same protection measures in respect thereof as are provided for the requested personal data.
FOR WHAT PURPOSES WE PROCESS YOUR DATA
The main purpose for which WE process your personal data is related, generally speaking, to the provision of services, through the Site and social networks, namely the conclusion of a distance sales contract and the delivery of the goods and services ordered by you, as well as the accounting of revenues. We also use your personal information to provide and improve our Services, to provide you with a personalized experience on our Site, to contact you regarding your account and our Services, to provide you with customer service, to provide you with personalized advertising and marketing tailored to your interests, to run sweepstakes and games organized by us, and in certain cases to detect and investigate fraudulent or illegal activities.
Estel Swimwear collects, uses and processes the information described above for the purposes set out in this Policy, which may relate to:
The conclusion of a contract for the purchase of goods/services remotely between you and Estel Swimwear, via the Site or social networks – we require your identification, contact and payment details in order to enter into a contract with you, respectively to send you the order.
– Postal operators and courier companies
– Persons who, on assignment, maintain equipment, software and hardware used to process personal data and necessary for the company’s operations.
– Persons providing consultancy services at various times.
The conclusion of employment contracts and the processing and evaluation of resumes submitted.
Protecting and enforcing the legitimate interests of other users of the Services, third parties and the Site – the legitimate interest pursues objectives related to the legitimate interests of Estel Swimwear and/or third parties. These purposes include:
Detecting and resolving technical or functionality problems, developing and improving the purpose of the Site;
Communicating with you, including electronically, on important matters relating to the services we provide and the performance of contracts entered into.
Targeting our marketing, updating services and offering to you promotional offers based on your preferences.
Receiving and handling signals, complaints, requests and other correspondence received.
Enforcing and protecting the rights and legitimate interests of the Site, including through legal proceedings, and assisting in enforcing and protecting the rights and legitimate interests of other users of the Site and/or affected third parties.
Administering and maintaining the website and application – secure and safe.
Analysing and improving the use of our website, App and retail, (including using information about how you navigate our website, App and/or stores.
Measuring and analysing our advertising and making suggestions and recommendations to you – based on the information you share with us.

Communicating with you about your account, troubleshooting issues with your account. When we contact you by phone to ensure efficiency, we may use automated or prerecorded calls and text messages.
Informing you about products and services you would like us to send you. Information by email, post, mobile phone and/or other digital means (depending on your stated preferences) including – social media platforms – only where we have received your explicit consent to do so.
Your registration on the website (in this case, we will also use your personal information to maintain and update your account (such as changing your address or changing your marketing preferences).
Administering any competitions/draws/games on a lottery basis run by Estel Swimwear.
Provide you with location-based services (such as advertising, search results and other personalized content).
To comply with Estel Swimwear’s legal obligations, which include:
Fulfilling statutory obligations to retain or provide information with respect to our tax obligations to the government (e.g., based on the Accounting Act and other tax laws – ITA, FATL, CCC, IRC, etc.).
Fulfilling legal obligations based on the Labour Code, the Commercial Register Act and the Register of Non-Profit Legal Entities, etc. Statutory acts, execution of an order received by us from competent state or judicial authorities (e.g. on the basis of the Law on the Ministry of Internal Affairs, the Criminal Procedure Code, the Law on the Legal Status of the Republic of Lithuania).
Performance of obligations under the Data Protection Regulation relating to notifying you of various circumstances relating to your rights, the Services provided or the protection of your data, etc. similar.
Performance of obligations provided for in the Consumer Protection Act such as – ensuring the right of withdrawal, the right to legal guarantee.
Protecting Estel Swimwear in court proceedings.
Your data may be processed on the basis of your explicit consent, the processing in this case being specific and to the extent and scope provided for in the relevant consent. Typically, we require such consent from you where we wish to process your personal data without a legal obligation or legitimate interest for Estel Swimwear. Most often, we require such consent when we wish to offer you information about new promotions, products, etc.
STORAGE PERIOD OF YOUR PERSONAL DATA
When storing data, WE apply the general principle of storing data in the minimum amount and for no longer than is necessary to provide the Services and perform the contracts, ensuring their security and reliability and the requirements of the law. We will retain your personal information for the period necessary to fulfil the purposes set out in this “Privacy Policy”, unless we are required by law or legitimate interest to retain it for a longer period. Depending on the type of data and the purposes for which it was collected, there is a retention period after which the information is deleted.
Data type
Storage period
Basis for processing
Explanations
Registration data (first name, last name, email address, phone number, address)
и
information about registration and agreement to the Terms
(date, time, IP address)
Storage period
For the entire period of maintaining the account on the Site and up to 5 /five/ years from termination of registration
Reason
Performance of a contractual relationship; performance of a legal obligation; protection of a legitimate interest;
Data identifying you as a registered user of the Site. In order to resolve possible disputes that arise or become known after termination of the agreement to use the Site and in connection with the WEEDEWU (see below), this data is stored for a period of up to 5 /five/ years after termination of the account.
Important! On the basis of the EUDEA (see below), some of this data must be stored by the administrator (activity, IP address) for a period of up to 1 /one/ year after termination of the account. The extension of the storage period is due to the protection of the legitimate interests of the controller.
Personal data from orders and from invoices, payment documents (orders, statement), reports and other accounting, reporting and payment documents issued or received by the administrator.
Personal data from employees’ employment records.
Storage period
For the period during which the rights and obligations of the parties to the legal relationship under which the accounting, reporting or payment document was issued exist, up to 5 years from the termination of the legal relationship;
Certain data shall be retained for a longer statutory period than that specified above, as they represent accounting information – transaction data, billing data – between 5 and 50 years.
Grounds
Performance of legal obligations and protection of the legitimate interests of the controller.
The data identifies you as a party to the distance selling contract and is stored for the purpose of securing your rights and/or fulfilling our legal obligations as taxable persons. The storage is also necessary in order to ensure the rights of buyers (individuals) where a time limit is provided for the same (e.g. 2-year warranty). Legal obligations also require the storage period to be determined as described.
Pursuant to Article 38 of the Tax and Social Security Procedural Code (TSSC), accounting and commercial information, as well as all other information and documents relevant for taxation and compulsory social security contributions, shall be kept by the obliged person in accordance with the procedure laid down in the National Archive Fund Act for the following periods: payrolls – 50 years; accounting registers and financial statements – 10 years; tax and social security control documents – 5 years after
the expiry of the limitation period for the discharge of the public debt to which they relate; all other media – 5 years. Pursuant to Article 38, paragraph 2 of the Tax Procedure Code, after the expiry of the time limit for their storage, the information carriers referred to in para. 1 (paper or technical) which are not subject to transfer to the National Archive Fund may be destroyed.
Personal data from correspondence, complaints and signals, requests, initiatives
Retention period
Data from correspondence, complaints, signals, requests, initiatives shall be kept for a period of up to 5 /five/ years on the basis of the Law on Obligations and Contracts (limitation periods for making claims).
Grounds
Protection of the legitimate interests of the controller
In order to resolve complaints, alerts, disputes, inquiries, requests or other matters made in communication to Us received via electronic forms on the Site, by sending regular or electronic mail, We store and process this information as well as the result of this processing. Given the limitation periods under Bulgarian law for the purpose of resolving disputes, this information is stored for up to 5 /five/ years.
Log certifying the sending of a comment, request, order or other statement (contains sender, recipient, date and time of the statement)
Storage period
For a period of 1 /one/ to 5 years.
Reason
Performance of legal obligations and protection of the legitimate interests of the controller
Because the sending of a comment, feedback, inquiry, other statement constitutes the sending of an electronic statement by you to us under the EUEPA, the company is required to maintain a log of the fact of sending the statement for a period of 1 /one/ year.
The legitimate interest of the controller allows us in certain cases to extend the retention period of this data up to 5 years from the statement.
Quick searches
do not contain personal data
Storage period
Until deleted by you; until your registration is terminated or up to 6 /six/ months if you use this functionality without registration
Reason
Consent of the subject and protection of the legitimate interests of the controller
This option allows you to repeat your searches instead of entering them each time. The functionality can be used with or without registration. Quick links are stored to repeat the last 10 searches.You can change the setting from the browser you are using.
Settings and System Logs
Do not contain personal data, may contain information such as: date and time, IP address, URL, browser version and device information
Storage period
Until deleted by you or until your registration is terminated. In case they are stored in a cookie – between 6 /six/ and 12 /twelve/ months from the last use
Reason
Subject’s consent. Performance of legal obligations and protection of the legitimate interests of the controller.
Settings such as language selection and the like fall into this category.
Control over the settings is yours and you can change the same, through your browser.
Server logs, security device logs (Web Application Firewalls) and other devices fall under this category. These logs are necessary to identify technical problems and/or detect malicious activity.
Information stored in a mobile application:
For the duration of its use (until uninstalled).
Information necessary for the technical provision of the Services (such as settings, etc.)
Cookies
Storage period
Between 6 and 12 months – depending on the type of cookie and your browser settings
Reason
Subject consent and protection of the legitimate interests of the OSA
For a description of the cookies used, see “Cookie Policy”.
Exceptions to the rules on storage periods
Please note that we will not delete or anonymise your personal data if it is necessary for a pending judicial, administrative, arbitration, enforcement or complaint proceeding before us. Erasure will take place once the need for the data has ceased, and it is possible that this will be after the expiry of the time limits set out above.
You can always ask us to delete certain information or to close your account and we will respond to this request by retaining certain information even after closure of the account where applicable law or legitimate interests so require. If we are legally obligated or if reasonably necessary to comply with regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our terms, we may also retain some of your personal information for a limited period of time, even after you have deleted your account.
In order to ensure the reliability of the Services and to protect against data loss for technical reasons, the Site maintains a data redundancy policy. The maximum update (data deletion) period of all backups is 30 days.
DO WE SHARE YOUR PERSONAL DATA WITH THIRD PARTIES
Estel Swimwear, respectively the Site, does not provide your personal data to third parties unless it is necessary for the fulfillment of your order or if there is a legitimate reason to do so – a legal or contractual obligation, a legitimate or vital interest. We endeavour to minimise the personal data we disclose, as this is always directly relevant and necessary to achieve the stated purpose. We do not sell, rent or otherwise disclose your personal information to third parties for their marketing and advertising purposes without your consent. We ensure that access to your data by private third-party entities is carried out in accordance with data protection and confidentiality laws, based on contracts entered into with them.
We may disclose your personal data where we are subject to a legal obligation. In certain cases, Estel Swimwear is obliged to disclose your data to public authorities such as – police, prosecution, court, in connection with the prevention or detection of crime. This also includes sharing information with other companies and organisations in order to protect fraud and reduce credit risk. You should be aware that if we are asked by the police, or any other regulatory or government body investigating suspected illegal activities, to provide your personal information or other information we obtain about you, we are entitled to do so once we have satisfied ourselves as to the validity of the government authorities’ request. Where we receive sales proceeds, we may be required by revenue authorities to provide sales data containing your order data, including personal data. In this regard, we provide your data to the accounting firms we work with. It is the legal obligation of the Site and Estel Swimwear to protect the security of the networks and data processed by the Company. In this regard, we apply a number of measures, the implementation of which may necessitate the processing of your data by IT companies taking care of security in our company.
We may have a contractual obligation to provide your data in the event of a distance selling contract with you, under which we are obliged to provide the goods or services you have requested by courier. The same is the case if you have chosen to purchase, pay for a product or service from our Site, through payment, credit or banking services whose providers you personally share your data with or outsource to us.
Our legitimate interest justifies in certain cases the provision of personal data to third parties. This would be the case in proceedings brought before
“Data Protection Commission”, “Consumer Protection Commission” and other public authorities. A legitimate interest also exists for EstelSwimWear when we engage other companies and individuals to perform certain tasks on our behalf, complementary to our services, within the framework of data processing contracts. We would like you to always be aware of the best offers for the products/services you are interested in. In this regard, we may provide certain of your data – only with your explicit consent, to marketing/telemarketing service providers and other companies with whom we may develop joint programs to market our goods and services.
Our website may also contain links to and from third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we accept no responsibility or liability for these policies. Please check these policies before submitting information to these websites. Our site uses YouTube LLC, represented by Google Inc. to integrate videos. Typically, when you visit an embedded video page, your IP address will be sent to YouTube and cookies will be installed on your device. However, our YouTube videos are integrated in an extended privacy mode (in this case, YouTube is still in contact with the DoubleClick service from Google, but personal data in accordance with Google’s privacy policy is not used). As a result, YouTube does not store any visitor information unless you watch the video itself. If you click on the video, your IP address will be sent to YouTube and YouTube will know that you have watched the video. If you are logged into YouTube through your user profile, this information will also be associated with your user profile (you can prevent this by logging out of YouTube before clicking on the video to view it). We have no information about the possible collection and use of your data by YouTube. For more information, please see YouTube’s privacy policy at:
www.google.com/intl/bg/policies/privacy/ .
TO WHICH COUNTRIES WE TRANSFER YOUR PERSONAL DATA
Currently, we store and process your personal data within the European Union.
However, some of your personal data may be transferred to entities located within or outside the European Union, including to countries for which the European Commission has not recognized an adequate level of data protection.
We will always take steps to ensure that any international transfer of personal data is carefully managed in order to protect your rights and interests. Transfers of data to service providers and other third parties will always be protected by contractual obligations and, where appropriate, other safeguards such as – standard contractual clauses issued by the European Commission or certification schemes such as the Privacy Shield for data transferred from the EU to the United States of America.
You can contact us at any time using the contact details set out at the end of the Policy to find out which countries we transfer your data to and what safeguards we apply in relation to those data transfers.
YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA
Under the General Data Protection Regulation you have the following rights:
Right to information
This Policy is intended to inform you in detail about the processing of your personal data. Where there is a risk of a breach of the security of your personal data, the controller is obliged to inform you of the nature of the breach and what measures have been taken to remedy it, as well as whether the supervisory authority has been notified of the breach. The data subject may also request information concerning any recipients to whom the personal data for which rectification, erasure or restriction of processing has been requested has been disclosed.
Right of access
You have the right to obtain confirmation of whether your personal data is being processed, access to it and information about how it is being processed and your rights in relation to it. As a data subject, you have the right to request confirmation of whether your personal data is being processed and, if so, to obtain access to your data and the following information: for what purpose the data is being processed, what personal data, the recipients of the data, the duration of the processing. Requests for access must be made in writing/electronically and addressed to the controller. In this case, we provide a copy of the personal data processed in electronic or other appropriate form.
Right to rectification
You have the right to rectify and supplement your personal data in case they are incomplete or inaccurate. For registered users, this option is also valid in the user panel on the Site. Non-registered users can obtain this information by making a request to the administrator. As a data subject, you have the right to request the rectification or completion of your personal data that is inaccurate/outdated or incomplete. You must submit a separate request for this purpose. Your request will be answered by the controller in writing at the e-mail address you have provided.
Right to erasure (right to be forgotten) and account closure
As a data subject, you have the right to “be forgotten”, i.e. to request that your personal data be erased without undue delay i.e. that the controller erases your personal data from all systems and records where it is stored, including notifying any third parties/processors to whom it has provided the data.
Should you wish, you have the option to close your account on the site at any time. This option is also valid in the user panel on the Site. After closing the account, all or part of the data is deleted. In connection with our obligations, responsibilities and the requirements of the law (e.g. the EULA or the WEEDU Act), we may retain certain data for a certain period (see section above).
In order to ensure the reliability of the services and to prevent data loss for technical reasons, the Site applies a data redundancy policy. The maximum period for updating (deleting data) from all backups is 30 days.
A request for deletion may be made on the grounds set out in the Regulation, including on any of the following grounds:
– the personal data are no longer necessary for the purposes for which they were collected;
– where you have withdrawn your consent;
– where you have objected to the processing of personal data and there are no legitimate grounds for the processing which prevail;
– where the processing is unlawful;
– where personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
– where the personal data were collected in connection with the provision of information society services.
Please note that we may refuse to erase some or all of the personal data where there is an essential justification and/or a legal obligation to process it. You will be informed of this in due time. The controller may refuse to erase personal data on the grounds set out in the Regulation – where the processing of the specific data is for a purpose:
– for the exercise of the right to freedom of expression and the right to information;
– for compliance with a legal obligation requiring processing provided for in EU or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
– for reasons of public interest in the field of public health;
– for archiving purposes in the public interest, scientific or historical research or statistical purposes;
– for the establishment, exercise or defence of legal claims;
The right to restriction in relation to the processing of data
The General Data Protection Regulation provides you with the possibility to restrict the processing of your personal data if the grounds for doing so set out in the General Data Protection Regulation apply.
Restriction is allowed in the following cases:
– where you consider that your personal data is not accurate, in which case the restriction shall be for the period necessary for the controller to verify the accuracy.
– where the processing of your personal data is unlawful, but you do not wish it to be erased, but only to restrict its use.
– where the controller no longer needs your personal data for the purposes of the processing, but you, as the data subject, require them for the establishment, exercise or defence of legal claims.
– where you have objected to processing pending verification that the controller’s legitimate grounds override your interests.
The right to notify third parties
Where applicable, you have the right to request the Data Controller to notify third parties where it has provided your data, regarding the rectification, erasure or restriction of the processing of your personal data.
Right to data portability
You have the right to receive the personal data concerning you that you have provided in a structured, commonly used and machine-readable format and have the right to transfer that data to another controller without hindrance from us, in the event that the processing is based on consent or a contractual obligation or the processing is carried out in an automated manner.
Important: The responsibility for the storage of data exported from the Site, as well as for any consequences of providing it to other controllers, is entirely yours.
Right not to be subject to a decision based solely on automated processing
You have the right not to be subject to such automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you unless the grounds for doing so are provided for in the applicable data protection legislation and appropriate safeguards are provided to protect your rights, freedoms and legitimate interests.
Right to withdraw consent
You have the right, at any time, to withdraw the consent you have given in relation to the processing of personal data on the basis of your prior consent. Such withdrawal shall not affect the lawfulness of the processing based on the consent given up to the time of withdrawal. In the case of services such as the subscription to email advertisements, the subscription to which is based on your wish (consent), the possibility is provided to terminate the subscription at any time (withdrawal of consent). In the event of withdrawal of consent, we have the right to request that the identity of the applicant be verified in order to establish identity with the person to whom the data relates.
Right to object
You have the right to object to data being processed on the basis of legitimate interest. If such an objection is received, we will consider your request and, if justified, comply with it. If we believe that there are compelling legitimate grounds for the processing or that it is necessary for the establishment, exercise or defence of legal claims, we will inform you of this.
Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint against our company (data controller) with the supervisory authority if you believe that the processing of personal data relating to you violates applicable data protection law.
HOW YOU CAN EXERCISE YOUR RIGHTS. TIME LIMITS FOR MAKING A RULING
You may exercise the rights set out above free of charge at any time, by email or by request sent to the addresses indicated in the contact form on the Site or at the end of this “Security Policy”, and you may address your requests both to the controller and directly to the Data Protection Officer. Requests shall be made in a manner that allows the identity of the requester to be identified. With respect to certain rights, technical options for exercising them may be applicable, for example an unsubscribe button. In any event, the controller shall respond to the request or give a ruling on the exercised right at the address provided in the request, including electronically, within one month of receipt.
In the event that you exercise these rights manifestly unreasonably or excessively, in particular because of its repetitive nature, we reserve the right to charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or to refuse to act on the request. We will inform you of our fees, if applicable, before acting on your request.
ACCURACY OF INFORMATION
We are not responsible for the accuracy of the data you provide, nor do we make any checks to this effect, nor do we guarantee the true identity of the individuals who have provided the data. In all cases of suspicion on your part, of fraud and/or abuse detected, please notify us immediately. You undertake that in providing any information on the Site, you will not violate the rights of others in relation to the protection of their personal data or their other rights.
GENERAL POLICY INFORMATION
This “Privacy Policy” may be amended or supplemented due to changes in applicable Bulgarian or European law, at the initiative of Estel Swimwear or a competent authority.
Estel Swimwear will inform users of amendments or additions to this “Privacy Policy” by posting the updated “Privacy Policy”, on our website.
Users are advised to periodically check the most up-to-date version of this Privacy Policy on the Estel Swimwear website.
HOW WE PROTECT YOUR RIGHTS
SECURITY MEASURES
In order to ensure the best possible protection of the data of the company and our customers/users/contractors/visitors on the Site, WE apply all the necessary organizational and technical measures provided for in the “General Regulation” on data protection and the “Data Protection Act”, as well as best practices of international standards. We apply the appropriate and necessary level of protection and to this end we have developed efficient physical, electronic and administrative procedures to safeguard the data we collect from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.
We store your data on secure servers using the latest encryption algorithms and ensure backups are kept.
The Company has adopted the necessary policies and procedures relating to the lawful processing of your personal data, including. Data Breach Action Plan, has established structures to prevent misuse and security breaches, and has appointed a Data Protection Officer to assist with the processes of lawfully processing, protecting and securing your data.
Access to your personal data is only permitted to those employees, service providers or affiliates on a need-to-know basis for business purposes or who need the information to perform their job duties. All employees/workers are required to be trained and accept the relevant contractual clauses/declarations/rules to comply with organisational and technical access measures before being granted access to information of any kind.
It is a principle of our structure that all employees/workers are responsible for ensuring the security of the data for which they are responsible and which we process, and that data is held securely and not disclosed under any circumstances to any third party unless we have granted such rights to that third party by entering into a confidentiality agreement/clause. In this regard, all personal data is only accessible to those who need it, and access can only be granted in accordance with established access control policies.
Computer media that are protected in accordance with organisational and technical measures to control access to information.
Personal data is deleted or destroyed only in accordance with internal data retention and destruction procedures.
For maximum security in the processing, transfer and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymisation, back up technology for backup copies.
We use a payment service to process payments. All payment information is encrypted using SSL technology.
When you post in forums, chat rooms or social networking services, the personal information you share is visible to other users and can be read, collected or used by them. In these cases, you are responsible for the personal information you choose to provide.
Despite the measures we implement to protect your personal information, we are aware that, in general, transmitting information over the Internet or other public networks is not completely secure, and there is a risk that the data may be viewed and used by unauthorized third parties. We cannot accept responsibility for these vulnerabilities on systems not under our control. In the event of a data leak containing personal data, we guarantee to comply with all applicable notification standards in such cases.
COOKIE POLICY
As an integral part of this “Personal Data Security Policy” for individuals, Estel Swimwear also adopts a Cookie Policy, published and available both on the Site and on our Facebook, Instagram and other pages.