1. Information about the Data Controller
“SPAVITA” Ltd. (Bulgarian legal entity), UIC 201636252, with registered office and management address:
Sofia, postcode 1379, Vazrazhdane District, Serdika residential area, 18A, Entrance D, Floor 8, Apt. 105, Republic of Bulgaria, represented by its manager Iliana Nikolova Kozovska (the “Data Controller”).
Website: https://facetaping.eu/
This Privacy Policy governs the relationship between the Data Controller and the data subjects who use the Website.
Contact details
Email: aromafaceyoga@hotmail.com
2. Legal bases and purposes for processing your personal data
We process your personal data on the following legal bases:
- Performance of a contract concluded between you and us (and steps taken at your request prior to entering into a contract);
- Your explicit consent (the purpose is specified in each particular case);
- Compliance with a legal obligation;
- Our legitimate interests.
In this Privacy Policy you will find detailed information on how we process your personal data depending on the legal basis we rely on.
3. Processing for performance of a contract or in a pre-contractual context
We process your personal data in order to fulfil our contractual and pre-contractual obligations and to exercise our rights under contracts concluded with you.
Purposes of processing
- to verify your identity;
- to manage and fulfil your request and/or perform a concluded contract;
- to prepare an offer for concluding a contract;
- to prepare and send an invoice/receipt for the services you use;
- to provide comprehensive customer service and collect amounts due for services used;
- to retain correspondence related to orders, handling requests, reporting issues, etc.;
- to notify you of matters related to the services you use;
- to detect and/or prevent unlawful actions or actions contrary to our terms.
Categories of data subjects
Under this legal basis we process data relating to our customers. A customer is any individual (or a representative of a legal entity) who is in contractual or pre-contractual relations with us and wishes to use our services.
Services provided via the Website
Through the Website we provide: online sale of cosmetics, essential oils and cosmetic equipment, as well as online courses.
Personal data processed on this legal basis
On the basis of the contract between you and us, we process information about the nature and content of the contractual relationship, and any other information related to it, including:
- names;
- email address;
- address;
- details of orders placed;
- correspondence relating to customer service;
- information relating to payment (e.g., credit/debit card information, bank account number or other banking/payment details connected with payments made).
Some of the above data is mandatory for concluding and performing the contract. Without it, we would not be able to provide the services. Mandatory fields are marked with “*” or another symbol. All other personal data is provided voluntarily.
Sharing personal data with third parties
We share your personal data with third parties in order to provide a high-quality, fast and comprehensive service. We do not share your data before we have ensured appropriate technical and organisational measures are in place to protect it. Where we share data, we remain responsible for its confidentiality and security. We have data processing agreements in place with recipients who process data on our behalf.
We may share personal data with the following categories of recipients (controllers and/or processors, depending on the case):
- postal operators and couriers;
- providers who, under assignment, maintain equipment, software and hardware used for personal data processing and necessary for our activity;
- providers of consultancy services (e.g., legal, accounting, business consulting, etc.);
- cloud service providers and payment service providers such as Stripe, PayPal, and others.
Retention period
- Data collected on this legal basis is deleted 3 or 5 years after termination of the contractual relationship (regardless of whether due to expiry, termination, cancellation, or other grounds). The period is determined by applicable statutory limitation periods for potential contractual claims.
- Data collected in a pre-contractual context is deleted after 12 months.
4. Contact form
When you use our contact form, we collect the data you provide voluntarily. By sending data via the contact form, you agree to this Privacy Policy. The data you send is processed solely for providing our services and/or concluding a contract. Data is processed and deleted according to the rules in this Privacy Policy, specifically the rules for data collected on a contractual or pre-contractual basis.
5. User account (profile)
Each registered user has a unique user account. From your account you can manage your personal data protection settings, including updating your personal data and subscribing/unsubscribing from the email newsletter.
6. Automated decision-making
We do not use automated decision-making algorithms for processing personal data.
7. Processing to comply with legal obligations
In some cases, we are legally required to process your personal data. Examples include:
- obligations under Bulgarian anti-money laundering legislation;
- obligations related to distance selling and off-premises contracts under the Bulgarian Consumer Protection Act;
- providing information to the Commission for Consumer Protection or other parties where required under consumer protection law;
- providing information to the Commission for Personal Data Protection in connection with obligations under personal data protection legislation;
- obligations under the Bulgarian Accountancy Act and tax/social security procedural legislation and related acts (lawful bookkeeping);
- providing information to courts and third parties within court proceedings, according to applicable procedural rules;
- age verification for online purchasing.
Retention period
We delete data processed to comply with legal obligations after the relevant legal obligation has been fulfilled or ceases to apply. For example:
- accounting records: up to 11 years (as required by law);
- obligations to provide information to courts/competent authorities and other legally required retention: up to 5 years, depending on the applicable legal basis.
Sharing data with third parties
Where required by law, we may provide your personal data to a competent public authority or to a natural/legal person as provided by law.
8. Processing based on your consent
We process your personal data on this basis only after you have given explicit, unambiguous and freely given consent. You will not suffer adverse consequences if you refuse.
Consent is a separate legal basis, and the purpose is described when consent is collected. If you provide consent (and until you withdraw it or our contractual relationship ends), we may send you tailored offers about our services.
Data processed on this basis
We process only the data for which you have given consent, which varies by case. Typically, this includes your email address and name.
If we intend to share data with third parties on the basis of consent, we will inform you before you provide consent.
Withdrawal of consent
You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal, and it does not affect performance of contractual obligations. If you withdraw consent, we will stop using your data for the purposes for which consent was given.
You can withdraw consent by contacting us using the contact details in this Privacy Policy.
Retention period
Data processed on the basis of consent is deleted upon your request or stored for the period stated in the consent. If no period is stated, we delete the data within 12 months from initial collection.
9. Email marketing
If you subscribe to receive emails from us, you will receive messages with up-to-date information about our services, partners’ services, or other useful information. You can unsubscribe at any time by clicking the “unsubscribe” link/button in the email (or equivalent), or by contacting us using the details in this Privacy Policy.
Brevo may be used for email marketing.
10. Legitimate interests
We process and analyse data on the basis of our legitimate interests, primarily to improve our overall service. On this basis we may analyse user behaviour and perform analytics. Such data may include: browsing behaviour on the Website, duration of sessions, non-anonymised IP address, Facebook profile data, precise location data, etc.
If the collection of such data goes beyond our legitimate interests, we will process it only with your explicit consent.
Your data may also be anonymised. Anonymisation is an alternative to deletion. When anonymised, all personally identifiable elements are irreversibly removed. Anonymised data is no longer personal data.
11. How we protect your personal data
To ensure adequate protection of company data and the data of our customers, we apply all necessary organisational and technical measures required under applicable personal data protection legislation.
We have established rules to prevent abuse and security breaches and have adopted measures to maintain the security of personal data.
To maximise security during processing, transmission and storage, we may use additional safeguards such as encryption, pseudonymisation, and others.
If you have any questions about this Privacy Policy or would like to exercise any of your rights, please contact us at facetapingexpert@gmail.com.
Last updated: 9 Feb 2026