Confidentiality Policy

Information about the personal data administrator:
„Clean Labs” ltd. is a legal entity, registered with the Bulgarian Commercial Registry under the unique identifying number 204818185, having its headquarters and management address in Sofia, j.k. Beli brezi, 38 Haidushka gora str., phone: +359876258535; e-mail: contact@cleanlabs.bg.

Legal basis and purpose for processing your personal data

We are processing your personal data based on the following grounds:

  • a concluded contract between us in order to fulfill our obligations under it;
  • an explicit consent from you – the purpose being specified for each case;
  • an obligation by law.

The following paragraphs contain detailed information on the ways we process your personal data based on these grounds.

FOR THE EXECUTION OF A CONTRACT OR IN THE CONTEXT OF PRE-CONTRACTUAL RELATIONS:

We process your personal data in order to perform contractual and pre-contractual obligations and to use our rights under the entered contracts with you.

The purpose of the processing is as follows:

  • to find out your identify;
  • to manage and execute your orders and the contract;
  • to prepare an offer for a contract;
  • to prepare and send a receipt or an invoice for the services we provided for you;
  • to provide the full service you need, as well as to receive the due payments for the provided services;
  • to keep the correspondence with you, regarding placed orders, processed queries, reported issues, and etc.;
  • to notify you of updates, regarding the services we are providing for you;
  • to identify and/or prevent unlawful behaviour or breach of our terms for the corresponding services.

Data we process based on these grounds: 

Based on the contract concluded between Clean Labs Ltd. and you, we process data about the type and content of the contractual relationship, as well as any other information, in respect to the contractual relationship, including:

  • personal contact details: address, e-mail, phone number;
  • identification data: first name and surname;
  • data of placed orders;
  • correspondence in relation to providing full service: e-mails, letters, information on your queries for solving issues, claims, requests, complaints, or feedback that we receive from you;
  • credit or debit card information, bank account number or any other banking or payment information in relation to payments made;
  • other information such as: social media profile data and information about your activities on the website.

The processing of the above-listed data is necessary for us in order to enter into a contract with you and to execute this contract. Without being provided with the above data, we wouldn’t be able to perform our contractual obligations.

We provide personal data to third parties
We provide your data to third parties, and our primary purpose is to offer you quality, fast and comprehensive service. We do not provide your data to third parties before making sure that all technical and organizational measures are taken to protect these data and we aim at carrying out strict controls to meet this goal. In this case we remain responsible for the confidentiality and security of your data. We provide personal data to the following categories of recipients (personal data administrators):

  • postal operators and courier companies;
  • individuals who, by assignment, support equipment, software and hardware used to process personal data and are necessary for the company's activity;
  • individuals, providing consulting services in different areas.

When do we delete the data collected on these grounds
The data collected on these grounds is deleted 5 years after termination of the contractual relationship, whether due to the expiration of the contract, revocation or other reason. This term is set by the 5-year limitation period for contract claims.

FOR THE IMPLEMENTATION OF LEGAL OBLIGATIONS
It is possible that the law provides an obligation for us to process your personal data. In these cases, we are required to process data such as:

  • obligations under the Law on Measures against Money Laundering;
  • execution of obligations with reference to distance selling, off-premises sales, provided by the Consumer Protection Act;
  • providing information to the Consumer Protection Commission or to third parties in compliance with the Consumer Protection Act;
  • providing information to the Commission of Personal Data Protection with reference to obligations provided by the legal framework for the protection of personal data;
  • obligations stipulated in the Accountancy Law and the Tax and Social Insurance Procedure Code and other related normative acts with reference to lawful accounting practices;
  • providing information to the court and third parties, in court proceedings, following the requirements of the normative acts applicable to the proceedings;
  • to identify a person's age when shopping online.

When do we delete personal data collected on these grounds
The data collected in accordance with a legal obligation is deleted once the collection and storage obligation has been fulfilled or dropped. For example:

  • under the Accountancy Law for the storage and processing of accounting data (11 years);
  • obligations to provide information to the court, to competent state bodies and other grounds, provided by current legislation (5 years).

Providing data to third parties
When we are required to do so by law, we may provide your personal data to the competent governmental authority, to an individual or a legal entity.

WITH YOUR CONSENT
We process your personal data on these grounds only after an explicit, unambiguous, and voluntary consent on your part. We will stipulate no unfavorable consequences to you in case you decline personal data processing. The consent is a separate permission to process your personal data and the purpose of the processing is specified therein, and it is not covered by the aims listed in this policy. If you provide the respective consent and until its withdrawal or until the termination of any and all contractual relationships with you, we will prepare product/service offers which are suitable for you.

Data we process on these grounds:
On these grounds we process only the data for which you have given us your explicit consent. The particular data are specified for every individual case. Usually these are an e-mail address and a name.

Consent withdrawal
The granted consent may be withdrawn at any time. The consent withdrawal has no impact on the fulfillment of contractual obligations. If you withdraw your consent for the personal data processing for any or all ways described above, we will not use your personal data and information for the purposes listed above. The consent withdrawal does not affect the lawfulness of the processing based on a granted consent prior to its withdrawal. In order to withdraw the granted consent, you only need to use our website or simply use our contact information.

When do we delete personal data collected on these grounds
We delete the data collected on these grounds upon a request from your or 12 months after the initial collection of the data.

COLLECTION AND PROCESSING OF PERSONAL DATA WHEN VISITING OUR WEBSITE

When visiting and using our website for information purposes only, without registering or otherwise providing us with information, we only collect the personal data that your browser transmits to our server. These data are necessary for us so we can technically display our website to you and to guarantee stability and security.

We transfer the collected data to the relevant internal departments for processing or to external service providers, contractors (e.g. hosting providers, content management system) in accordance with the purposes required (for displaying the website and setting up its content).

The log files are deleted within 24 months.

WEB ANALYTICS

Google Analytics

This website uses Google Analytics, a web analysis service of Google Inc. (“Google”). Google Analytics uses a specific form of cookie, which is stored on your computer and enables an analysis of your use of our website. This information about the way you use this website, generated by the cookie, is transmitted to a Google server in the USA and is stored there.

We would like to point out that Google Analytics has been expanded on this website to include a code, which ensures anonymized recording of IP addresses (the so-called IP masking). Due to the IP anonymization on this website, your IP address is shortened by Google within the territory of the EU and the Treaty States of the European Economic Area. Only in exceptional cases the full IP address is transmitted to the Google server in the USA and is shortened there. Google has submitted itself to the EU-US Privacy Shield, (https://www.privacyshield.gov/EU-US-Framework).

Google uses this information on our behalf to analyze your use of this website in order to compile reports on website activities and provide additional services related to website and internet use. Google may also transfer this information to third parties as required by law or if said third parties process these data on behalf of Google. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data.

You can prevent the storage of cookies by making the proper setting using your browser software. In addition, you can prevent Google from recording the data related to your use of the website generated by the cookie (including your IP address) and from processing this data by downloading and installing the browser plugin available at https://tools.google.com/dlpage/gaoptout?hl=en.

Third party information: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Google Analytics Terms of Service: https://www.google.com/analytics/terms/gb.html, General overview on Google Analytics security and privacy principles: https://support.google.com/analytics/answer/6004245?hl=en, as well as Google’s privacy policy: https://policies.google.com/privacy?hl=en.

Cookie lifetime: up to 24 months (this applies only to cookies which have been set by this website).

Maximum storage period of data: up to 24 months.

PROCESSING ANONYMISED DATA
We process your data for statistical purposes, i.e. for analyses for which the results are only summarised and thus the data are anonymous.
The identification of a specific individual using this information is impossible.
Your data may also be anonymised. The anonymisation represents an alternative to the deletion of the data. Under anonymisation all personal and identifiable element(s) enabling user identification will be irreversibly deleted. There is no normative obligation for the deletion of anonymised data since they do not represent personal data.

Why and how do we use automated algorithms
For the processing of your personal data we use partially automated algorithms and methods in order to keep improving our products and services constantly so we can adapt our products and services to your needs in the best possible way. The process is called profiling.

How do we protect your personal data
In order to ensure adequate protection of company’s data and of our clients’ data, we implement all necessary organizational and technical measures set out by the Law for Personal Data Protection.
The company has set rules for prevention of misuse and security breaches. For maximum security of your data processing, transmission and storage, we may use additional protection mechanisms, such as encryption, pseudonymisation, and others.

Personal data we received from third parties
We do not receive data for you from social networks.

User rights
Every website user has all personal data protection rights as per the Bulgarian legislation and the laws of the European Union.

The users can exercise their rights through the contact form or by sending us an e-mail.

Every user has the right to:

  • information (in connection with the processing of their personal data by the administrator);
  • access to the user’s own personal data;
  • correction (if the data are incorrect);
  • deletion of personal data (the right “to be forgotten”);
  • restriction of the processing by the administrator or the personal data processor;
  • portability of the personal data between different administrators;
  • objection to the processing of their personal data;
  • the data subject also has the right not to be subject to a decision based solely on automated processing  including profiling and which leads to legal consequences for the data subject or which affects them to a significant degree in a similar way;
  • protection either judicially or administratively, in case the rights of the data subject have been infringed upon.

The user can request deletion if one of the following conditions is met:

  • the personal data are no longer needed for the purposes for which they have been collected or processed;
  • the user withdraws the consent on which the data processing is based, and there is no other legal reason for the processing;
  • the user objects to the processing and there are no overriding legal grounds for the processing;
  • the personal data have been processed unlawfully;
  • the personal data are to be deleted for the purpose of compliance with a legal obligation as per the EU law or the law of a member state which applies to the administrator;
  • the personal data have been collected in order to provide services of the information society to children, and the consent was given by the holder of parental responsibility over the child.

The user has the right to restrict the processing of their personal data by the administrator when:

  • they contest the accuracy of the personal data. In this case, the limitation of the processing is for a period enabling the administrator to verify the accuracy of the personal data;
  • the processing is unlawful, however the user does not want the personal data to be erased, but requests a restriction of the data usage instead;
  • the administrator no longer needs the personal data for the purposes of processing but the user requires the data for the establishment, exercise or defense of legal claims;
  • they object to the processing pending the verification whether the legal grounds of the administrator override the interests of the user.

Right to portability
The data subject is entitled to receive the personal data which concern them and which they have provided to the administrator in a structured, commonly used and machine-readable format, and has the right to transfer these data to another administrator, without hindrance from the administrator to whom the personal data were provided when the processing is based on consent or on a contractual obligation, and the processing is carried out in an automated manner. When exercising the right to portability, the data subject is entitled to receive a direct transfer of the personal data from one administrator to another when this is technically feasible.

Right to objection
The users have the right to object to their personal data processing by the administrator. The data administrator is obliged to terminate the processing unless compelling legal grounds for the processing exists and are proven, which override the interests, rights, and freedoms of the data subject, or for the purpose of establishment, exercise, or defense of legal claims. In the event of objection to the processing of personal data for the purposes of direct marketing, the processing shall be terminated immediately.

Complaint to the supervising authority
Every user has the right to lodge a complaint against unlawful processing of their personal data with the Commission of Personal Data Protection or with the competent court.

Record-keeping
We keep a register of the processing activities for which we are responsible. This register contains the entire information as set out below:

  • the name and contact details of the administrator;
  • the purposes of the processing;
  • description of the categories of data subjects and the categories of personal data;
  • the categories of recipients to whom the personal data are or will be disclosed;
  • including recipients in third countries or international organizations;
  • when possible, established deadlines for deletion of the different data categories;
  • when possible, a general description of the technical and organizational security measures.