Privacy Policy

The data controller responsible for your personal data is:

Atmar Horeca EOOD
str. Manol Lazarov 67, 9022 Varna, Bulgaria
VAT: BG205062463
Email: privacy@atmarhoreca.com

We collect the following categories of personal data:

• Account data: full name, email address, and password (stored as a secure hash by Supabase).
• Profile data: company name, phone number, and VAT number (optional, provided by you).
• Address data: billing and shipping addresses.
• Order data: items ordered, quantities, prices, order status, and transaction history.
• Payment data: payments are processed by Stripe. We store payment status and reference IDs, but we never store your card details.
• Technical data: IP address, browser type, device information, and pages visited — collected by Google Analytics only if you consent to analytics cookies.

• Contract performance (Art. 6(1)(b) GDPR): processing your orders, managing your account, and providing customer support.
• Legal obligation (Art. 6(1)(c) GDPR): issuing invoices and retaining financial records as required by Bulgarian and EU law.
• Consent (Art. 6(1)(a) GDPR): analytics cookies. You may withdraw consent at any time via the cookie banner or by contacting us.
• Legitimate interest (Art. 6(1)(f) GDPR): fraud prevention and service security.

• Processing and fulfilling your orders.
• Sending transactional emails (order confirmations, shipping updates, invoices).
• Managing your account and customer profile.
• Responding to enquiries and support requests.
• Issuing VAT invoices and complying with tax obligations.
• Analysing site usage to improve our service (with your consent).

We share your data only with the following trusted processors, each bound by data processing agreements:

• Supabase Inc. (USA) — database and authentication hosting. Data is stored on EU servers (AWS eu-west-3). Covered by standard contractual clauses.
• Stripe Inc. (USA) — payment processing. Covered by the EU–US Data Privacy Framework and standard contractual clauses.
• Brevo SAS (France) — transactional email delivery. EU-based processor.
• Google LLC (USA) — analytics (Google Analytics 4), only when you have accepted analytics cookies. Covered by the EU–US Data Privacy Framework.
• Eurosender d.o.o. (Slovenia) — shipping logistics. Your name, address, and phone number are shared to arrange delivery.

We do not sell your data or share it with any other third parties for marketing purposes.

• Account and profile data: retained as long as your account is active. You may request deletion at any time.
• Order and invoice data: retained for 5 years as required by the Bulgarian Accountancy Act.
• Analytics data: retained for 26 months as per Google Analytics default settings.

You have the following rights regarding your personal data:

• Right of access: request a copy of the data we hold about you.
• Right to rectification: request correction of inaccurate data.
• Right to erasure: request deletion of your data, where no legal obligation requires us to retain it.
• Right to restriction: request that we limit how we use your data in certain circumstances.
• Right to data portability: receive your data in a structured, machine-readable format.
• Right to object: object to processing based on legitimate interest.
• Right to withdraw consent: withdraw analytics consent at any time without affecting prior processing.

To exercise any of these rights, use the contact form at the bottom of this page. We will respond within 30 days.

If you believe your data has been processed unlawfully, you have the right to lodge a complaint with the Bulgarian supervisory authority:

Commission for Personal Data Protection (CPDP)
2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria
www.cpdp.bg

We use cookies for session management and, with your consent, for analytics. See our Cookie Policy for full details.

We may update this Privacy Policy from time to time. The date at the top of this page reflects the most recent revision. Continued use of our site after changes constitutes acceptance of the updated policy.