Privacy Policy

Home Privacy Policy

PRIVACY POLICY FOR PERSONAL DATA

I. Information about the Personal Data Controller

“Mitopia” Ltd. (“Митопия” ЕООД) is a company registered in the Commercial Register at the Registry Agency with UIC 208164555, with registered office and address of management: Sofia, Sredets District, 42 Vasil Levski Blvd., Floor 1, email: contact@mitopia.me (hereinafter the “Controller”). The Controller sells goods through an online store located at the domain https://mitopia.me.

II. Key definitions

  1. The following terms are used in this Personal Data Protection Policy:

1.1. Personal Data – any information relating to an identified natural person or to a natural person who can be identified (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors.

1.2. Restriction of processing – the marking of stored personal data with the aim of limiting their processing in the future.

1.3. Personal Data Controller – “Mitopia” Ltd. (“Митопия” ЕООД), which alone or jointly with others determines the purposes and means of processing personal data.

1.4. Profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning the performance of contractual relations and preferences.

1.5. Processor – a natural or legal person who processes personal data on behalf of the Controller.

1.6. Recipient – a natural or legal person, public authority, agency, or another body to which personal data are disclosed, whether a third party or not.

1.7. Third party – a natural or legal person, public authority, agency, or body other than the data subject, the Controller, the Processor, and persons authorized to process the data under the direct authority of the Controller or Processor.

1.8. Consent of the data subject – any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which they, through a statement or clear affirmative action, signify agreement to the processing of personal data relating to them.

1.9. User – any natural person who visits https://mitopia.me to purchase goods by entering into a distance sales contract with the Controller.

III. Legal grounds for collecting, processing, and storing personal data

  1. The Controller collects and processes personal data in connection with the use of the online store at https://mitopia.me and the conclusion of distance contracts pursuant to Article 6(1) of Regulation (EU) 2016/679 (GDPR), specifically on the basis of:

  • explicit consent obtained from Users;

  • performance of the Controller’s obligations under a contract with Users;

  • compliance with a legal obligation applicable to the Controller;

  • legitimate interests pursued by the Controller or a third party.

IV. Purposes and principles in collecting, processing, and storing personal data

  1. The Controller collects and processes personal data provided by Users in connection with the use of the online store and the conclusion of a contract with the company, including for the following purposes:

  • placing orders for goods through the online store;

  • concluding and performing distance sales contracts;

  • identifying the contracting party;

  • accounting, tax, and statistical purposes;

  • protecting information security;

  • ensuring performance of the contract for the relevant service;

  • handling complaints and claims submitted by Users;

  • direct marketing;

  • compliance with the Controller’s legal obligations and other purposes permitted under applicable law.

  1. The Controller observes the following principles when processing personal data: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy and keeping data up to date; storage limitation; integrity and confidentiality; and ensuring an appropriate level of security.

V. Types of personal data collected, processed, and stored. Purposes and legal bases

  1. The Controller processes the following categories of personal data and information for the following purposes and on the following legal bases:

  • Identification data (email address, name, phone number, address, etc.) collected to enable the placing of orders through the online store.
    Legal basis: By accepting the Terms and Conditions and placing an order on https://mitopia.me, a contractual relationship is established between the Controller and the User, on the basis of which the Controller processes the User’s personal data.

    Identification data are also used to process withdrawals from distance contracts, handle claims regarding delivered goods, complaints and reports, prepare responses, and for other legitimate purposes of the Controller, including compliance with legal obligations.

  • Delivery data (names, phone number, address, etc.) collected to fulfill the Controller’s contractual obligations for sale and delivery of purchased goods.
    Legal basis: Contractual relationship created upon acceptance of the Terms and Conditions and placing an order. Delivery-related data are provided by the Controller to third parties (courier companies) for delivery purposes.

  • Direct marketing data (email address) collected to send electronic communications about products, services, promotions, marketing activities, etc.
    Legal basis: Explicit consent given by Users when ordering goods from the online store, which may be withdrawn.

    Users are free to decide whether to consent to receiving marketing information. Consent for direct marketing is not a condition for placing an order. Users who have provided consent may unsubscribe at any time without providing a reason. Unsubscribing is available via an explicit option included in each marketing email.

  1. The following operations are carried out using the personal data provided by Users, for the following purposes:

  • placing orders for goods through the online store;

  • concluding and performing distance sales contracts, including delivery and administration;

  • exercising the right of withdrawal;

  • receiving and resolving complaints/claims in a lawful manner;

  • administering complaints and preparing responses;

  • conducting direct marketing by sending promotional messages about goods, services, promotions, news, etc.;

  • fulfilling the Controller’s legal obligations.

  1. The Controller does not collect or process personal data revealing racial or ethnic origin; political, religious, or philosophical beliefs; trade union membership; genetic or biometric data; health-related data; or data concerning sexual life or sexual orientation.

  2. Personal data are collected by the Controller directly from the data subjects.

  3. The company does not perform automated decision-making or profiling of Users.

  4. Access to https://mitopia.me may occur via Google or other search engines, as well as via social networks. In such cases, search engines may receive the following data: IP address, search history, cookies and trackers, device, browser and operating system data, clicks on search results, etc. The website may integrate social media-related services (e.g., social media messages), allowing users to communicate with the website.

  5. The Controller maintains social media profiles and may offer applications on various social media websites. In such cases, social media platforms process personal data stored in users’ profiles (name, photo, contacts, posts), interaction history (likes, comments, shares), time spent on a page or post, etc. The legal basis for such processing may vary depending on the data and the purposes. Users are advised to review the privacy policies of the social media platforms they use.

  6. When using https://mitopia.me, regardless of whether access is through a search engine or social media, the Controller receives information from log files (system information per user): IP address; ISP (Internet Service Provider); the browser used (e.g., Google Chrome, Internet Explorer, Mozilla Firefox); time spent on the website; pages visited, etc. When a user visits the website, our web server automatically recognizes and collects the user’s IP address assigned by the internet service provider, which on its own does not personally identify the user.

  7. The IP address may be processed by the Controller to identify a specific user when necessary to comply with the law, legal procedures, or this Privacy Policy, as well as for traffic analysis, protection from malicious attacks, blocking access for bad-faith users, and other legitimate purposes.

  8. Social media buttons (Facebook, Instagram, etc.) are integrated on the website. These buttons redirect users directly to the Controller’s pages on those social networks and are included only as links. After clicking an icon, users are redirected to the respective platform. Users are advised to review the privacy policies of the social networks they use.

  9. To compile detailed statistics about website visitors and for traffic analysis, improving effectiveness, maintaining website functionalities, and other legitimate purposes, we use various tools such as Google Analytics, Facebook Pixel, etc., which use cookies. More information about cookies is available in the Cookie Policy.

VI. Retention period of personal data

  1. Retention periods vary depending on the nature of the data. The Controller stores Users’ personal data for no less than two years from the date of order fulfillment (the statutory warranty period for goods). The Controller takes necessary steps to delete and destroy all personal data of the User without undue delay, or to anonymize it (render it in a form that does not reveal the User’s identity).

  2. Regardless of item 16, the Controller retains personal data that must be kept under applicable law for the legally prescribed period. The Controller informs the respective persons if retention must be extended due to a statutory obligation or the legitimate interests of the Controller.

VII. Transfer of personal data for processing

  1. The Controller may, at its discretion, transfer some or all personal data of Users to processors for the purposes of processing to which Users have consented, in compliance with GDPR. The Controller informs Users if it intends to transfer some or all personal data to third countries or international organizations.

VIII. Users’ rights regarding personal data

  1. Withdrawal of consent

19.1. If the User does not wish their personal data to be processed, they may withdraw consent at any time by sending a free-form request via email to the Controller.

19.2. Deletion of personal data may result in the Controller being unable to fulfill its obligations under the contract for delivery of goods.

19.3. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

  1. Right of access

20.1. The User has the right to request confirmation whether personal data relating to them are being processed by sending a free-form request via email. The User has the right to access their personal data and information about the collection, processing, and storage of their data.

20.2. The Controller provides a copy of the personal data processed in electronic or other appropriate form. Access is free of charge, but the Controller reserves the right to charge a fee in the case of repetitive or excessive requests.

  1. Right to rectification and completion

The User may correct or complete inaccurate or incomplete personal data by emailing a request. The Controller notifies the User by email once corrections have been made.

  1. Right to erasure (“right to be forgotten”)

22.1. The User may request erasure of some or all personal data, and the Controller must erase it without undue delay where one of the following applies:

  • the data are no longer necessary for the purposes for which they were collected or processed;

  • the User withdraws consent and there is no other legal basis for processing;

  • the User objects to processing and there are no overriding legitimate grounds;

  • the data have been processed unlawfully;

  • the data must be erased to comply with a legal obligation under EU or Member State law;

  • the data were collected in relation to the offer of information society services.

22.2. The Controller is not obliged to erase personal data where processing is necessary for:

  • exercising the right of freedom of expression and information;

  • compliance with a legal obligation or performance of a task carried out in the public interest or exercise of official authority;

  • reasons of public interest in the area of public health;

  • archiving in the public interest, scientific or historical research, or statistical purposes;

  • establishment, exercise, or defense of legal claims.

22.3. To exercise the right to be forgotten, the User must send a free-form request for erasure by email.

22.4. If an order is being processed, the earliest point at which the User may request erasure is after the order has been successfully completed.

  1. Right to restriction of processing

23.1. The User may request restriction of processing by emailing a free-form request when:

  • the User contests the accuracy of the data for a period enabling the Controller to verify accuracy;

  • processing is unlawful, but the User does not want erasure and requests restriction instead;

  • the Controller no longer needs the data for processing, but the User requires them for legal claims;

  • the User has objected to processing pending verification of whether the Controller’s legitimate grounds override the User’s interests.

23.2. The Controller will stop processing and notify the User by email.

  1. Right to data portability

24.1. Where processing is based on consent or is necessary for contract performance and carried out by automated means, the User may request their data in a readable format and have it transferred to another controller, or request direct transfer where technically feasible.

24.2. The User may exercise this right by emailing a free-form request. The Controller sends the data in an appropriate readable format to the email address specified by the User.

  1. Right to be informed

The User may request information about all recipients to whom personal data have been disclosed where rectification, erasure, or restriction has been requested.

  1. Right to object

The User may object at any time to the processing of personal data relating to them, including profiling or direct marketing.

  1. Personal data breach

27.1. If the Controller establishes a personal data breach likely to result in a high risk to Users’ rights and freedoms, it notifies Users without undue delay, including the measures taken or planned.

27.2. The Controller is not obliged to notify Users if it has implemented appropriate technical and organizational measures, if subsequent measures ensure the breach will not result in a high risk, or if notification would involve disproportionate effort.

IX. Recipients of personal data

  1. The Controller does not provide Users’ personal data to third parties except where disclosure is required by law or necessary to perform the distance contract. The Controller does not transfer personal data to third countries.

X. Supervisory authority for personal data protection

  1. If Users’ rights are violated, Users have the right to lodge a complaint with the Commission for Personal Data Protection (CPDP), website: www.cpdp.bg. Users may also contact the Controller at contact@mitopia.me with complaints, inquiries, and other questions related to personal data. The Controller will investigate and respond within the statutory 30-day period.

This Privacy Policy is effective as of 12.08.2025.