Privacy Policy

Privacy Policy

PRIVACY POLICY (PROTECTION OF PERSONAL DATA)

1) Introduction

This Privacy Policy aims to inform you how Nayomi Ltd. ("Nayomi", "we/us") processes and protects your personal data when you visit and use nayomi.bg , when creating an account, ordering, contacting us, subscribing to a newsletter and using our services.

The policy is in accordance with Regulation (EU) 2016/679 (GDPR) , the Personal Data Protection Act and applicable Bulgarian legislation.

2) Who we are (data controller)

"Nayomi" Ltd.
UIC: 208595712
Address: Plovdiv, 23 Mendeleev Street, Bulgaria
Website: https://nayomi.bg

3) What personal data do we collect?

Depending on how you use the site, we may process:

3.1. Data you provide directly

  • First and last name

  • Email address

  • Phone

  • Shipping/Billing Address

  • Order data (products, value, status)

  • Correspondence data (messages to us)

3.2. Data that is collected automatically

  • IP address

  • Device and browser data

  • Site activity data (pages, clicks, dwell time)

  • Cookie identifiers – according to the Cookie Policy

3.3. Payments

We do not store full bank card details. Payments are processed by payment providers/banks where applicable. We receive payment status information (e.g. "paid/not paid") necessary to fulfill the order.

4) For what purposes do we use the data and on what legal basis?

We only process personal data when we have a legal basis under the GDPR:

4.1. Performance of a contract (Art. 6, par. 1, b. GDPR)

  • acceptance and execution of orders

  • product delivery

  • complaints/returns handling

  • communication regarding the order

4.2. Legal obligation (Art. 6, par. 1, b. "c" GDPR)

  • accounting and tax obligations (invoices, reporting)

  • obligations under the Public Health Act and other applicable regulations

4.3. Legitimate interest (Art. 6, par. 1, b. "f" GDPR)

  • protection against fraud and abuse

  • improving the functionality and security of the site

  • traffic analysis and service optimization (within the limits of what is permissible and with cookie settings)

4.4. Consent (Art. 6, par. 1, b. "a" GDPR)

  • newsletter/marketing messages

  • marketing/analytics cookies (where consent is required)

You can withdraw your consent at any time. Withdrawal does not affect the lawfulness of the processing before the withdrawal.

5) Marketing communications (newsletter)

If you have subscribed, you may receive emails with new products, promotions, and useful content.
You can unsubscribe at any time via the "Unsubscribe" link in the email or by contacting us.

6) To whom we provide personal data (recipients)

We may share personal data only when necessary with:

  • Courier companies (for delivery)

  • Payment providers/banks (for payment processing – if applicable)

  • Accounting/auditor (for legal obligations)

  • IT providers/platforms (e.g. hosting, support, Shopify apps)

  • Government authorities (only when required by law)

All providers process data on our behalf or as independent controllers, where applicable, and implement appropriate security measures.

7) Data transfer outside the EEA

Some of our suppliers (e.g. technology platforms) may process data outside the European Economic Area (EEA). In such cases, we apply appropriate safeguards (e.g. standard contractual clauses) where required.

8) How long do we store data?

We store personal data only for the necessary period , depending on the purpose:

  • Order data and accounting documents: up to 10 years (according to the Accounting Act and tax legislation)

  • Correspondence/inquiries: usually up to 5 years or shorter if not necessary

  • Marketing data (newsletter): until unsubscribe/withdrawal of consent

  • Cookies: as described in the Cookie Policy

9) Data security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration or disclosure, including access controls, restriction of official access, encryption/secure connections (where applicable) and incident response procedures.

10) Your rights

You have the following rights under GDPR (subject to the law):

  • Right to access your data

  • Right to correction

  • Right to erasure ("right to be forgotten")

  • Right to restriction of processing

  • Right to portability

  • Right to object (incl. against marketing)

  • Right to withdraw consent at any time

  • Right to lodge a complaint with a supervisory authority

Supervisory authority in Bulgaria: Commission for Personal Data Protection (CPDP) .

11) How to exercise your rights

You can exercise your rights by contacting us in writing via the contact form on the site or at the email address published in the "Contacts" section of nayomi.bg .

To protect your security, we may request additional information to verify your identity.

12) Policy changes

We may update this Privacy Policy as changes occur in our services, technology, or legislation. The most current version will always be posted on the site.