Privacy policy

Last updated: October 13, 2025

PRIVACY POLICY AND PROTECTION OF PERSONAL DATA ON THE SITE lovebiotica.com


This document discloses the Privacy Policy and Protection of Personal Data collected from users of the Site with the address (URL) lovebiotica.com This Privacy Policy aims to inform you about how the website owner treats your personal data as the Administrator, and also about how you could control your preferences and settings in relation to this treatment.

This Privacy Policy is an integral part of the General Terms and Conditions for Use of the Site lovebiotica.com All definitions and definitions given in the General Terms and Conditions are also applicable in this Privacy Policy.

This Policy is effective from 01.10.2025.

ADMINISTRATOR OF PERSONAL DATA

"Love Biotica" Ltd. is a Personal Data Administrator within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the "GDPR") and the Personal Data Protection Act (hereinafter referred to as the "PDPA").

In order to comply with the requirements of the applicable personal data protection legislation, the company responsible for the protection of your personal data in its capacity as Data Administrator is:

1. Company name: "Love Biotica" Ltd., UIC: 208450453;

2. Headquarters and address of management: Bulgaria, Sofia, Triaditsa district, 12 IVAYLO Str.;

3. Correspondence details: Bulgaria, Sofia, Triaditsa district, 12 IVAYLO Str.;

* official email for customer communication: welcome@lovebiotica.com;

* phone for customer communication: +359886888614;

4. Supervisory authorities:

(1) Personal Data Protection Commission

Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.,

tel.: (02) 940 20 46

fax: (02) 940 36 40

Email: kzld@government.bg, kzld@cpdp.bg

Website: www.cpdp.bg

The Administrator collects and processes all personal data in accordance with the personal data protection laws applicable in Bulgaria and the European Union.

PRINCIPLES OF PROCESSING PERSONAL DATA

When processing personal data, the Administrator complies with the following principles:

1) collects personal data only where there is a legal basis, processes them fairly and in a transparent manner in relation to the data subject - principle of lawfulness, fairness and transparency;

2) collects personal data for specific, explicit and legitimate purposes and does not process such personal data in a manner that is incompatible with the original purposes - principle of purpose limitation;

3) processes only such volume and type of personal data as are related to and limited to what is necessary in relation to the purposes for which they are processed - principle of data minimization;

4) keeps personal data accurate and up-to-date - principle of accuracy;

5) stores personal data in a form that permits identification of the data subject for a period no longer than is necessary for the purposes for which the personal data are processed - principle of storage limitation;

6) complies with the principles of data protection by design and data protection by default, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons presented by the processing, and implements appropriate measures to protect personal data and to comply with Regulation (EU) 2016/679.

7) ensures an appropriate level of security for personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical or organisational measures - the principle of integrity and confidentiality.

BASIS FOR COLLECTING PERSONAL DATA

The Administrator collects and processes your personal data on the following grounds:

• Explicit consent obtained from you as a client/user. The consent obtained for the processing of personal data is voluntary and is provided for each specific case. The consent you have provided for the processing of personal data can be withdrawn at any time by submitting a free text request for the withdrawal of consent by email to the Administrator. The withdrawn consent is effective for the future, and it does not affect the lawfulness of the processing of the personal data provided by you before submitting the request for the withdrawal of consent. According to Art. 6 para. 1 a) GDPR, the data will be processed if you have explicitly agreed to the type and scope of the data processing in question.

By “consent” the Controller means any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by a statement or by a clear affirmative action, which signifies agreement to the processing of personal data relating to him or her. The data subject may withdraw his or her consent at any time. The consent of the data subject shall be required whenever there is no overriding legal basis for the processing.

The Controller shall understand “consent” only to be the case where the data subject has been fully informed of the intended processing and has given his or her consent without undue influence. Consent obtained under duress or on the basis of misleading information shall not constitute a valid basis for the processing of personal data.

Consent cannot be inferred from the lack of a response to a communication to the data subject. In order for consent to exist, there must be active communication between the controller and the data subject. The Controller shall request and obtain consent for processing activities where consent is required for those activities.

For special categories of data, explicit written consent must be obtained in accordance with the Procedure for obtaining consent for the processing of personal data of data subjects, unless there is an alternative legal basis for processing.

The subject's consent to the processing of personal or special categories of data is given - on the basis of the relevant consent document provided by the data subject to the controller for each specific purpose of processing. When the subject signs a contract, consent is not required, because his data is collected on another legal basis.

When the Controller processes personal data of children, it obtains permission from those exercising parental rights (parents, guardians, etc.). This requirement applies to children under the age of 16.

• Performance of contracts or pre-contractual activities. According to Art. 6 para. 1 b) GDPR, the processing will only be carried out to the extent necessary for the performance and exercise of the rights and obligations arising from the contract. Unless expressly stated otherwise, the data will be processed by us only to that extent.

• Processing is necessary for compliance with a legal obligation of the Company. According to Art. 6 para. 1 c) GDPR Processing will be carried out to the extent necessary to comply with European legal requirements.

• Processing is necessary for the purposes of the legitimate interests of the controller or of a third party. According to Art. 6 para. 1 f) GDPR Processing is carried out to the extent of our legitimate interest, unless it is prevented by conflicting overriding interests of the data subject. Our specific interest is explained in this privacy policy in the context of the description of the processing.


WHAT DATA DO WE COLLECT FROM OUR USERS

Before accessing the services of the Site, you must express your explicit consent to process your personal data in accordance with this Policy. We collect personal information that you voluntarily provide to us when you visit the site, express interest in receiving information about us or our services, when you participate in activities on the site or otherwise.

1. The Administrator does not collect and store “sensitive” categories of personal data such as political beliefs, ethnic origin, sexual orientation, data about the subject’s health, religious or philosophical beliefs, etc.

2. Personal data collected from the data subject when individuals contact the Administrator via a contact form on the site.

When the person sends a message to the Administrator using the contact form, the Administrator collects and stores the name and e-mail address of the person, as well as the information provided in the message.

Purpose for which the data is collected: The Administrator collects and stores the specified information for the purposes of communicating with the individual.

3. Personal data collected automatically.

On our website, we collect data about all visitors, namely:

• Browser identifier;

• History of pages visited, in order to establish your preferences for certain types of content;

• History of searches you have made on our pages;

• Device data. We collect device data, such as information about your computer, phone, tablet or other device that you use to access the website. Depending on the device used, this data for separation may include information such as your IP address or proxy server, device and application identification numbers, location, browser type, hardware model, provided Internet service and/or mobile operator, operating system and system configuration information.

Purpose for which the data is collected: Improving the security of the services provided by the Provider and preventing misuse of the user account by third parties.

4. Personal data collected from users when concluding a distance purchase contract:

• three names;

• email;

• address;

• telephone;

• Payment data such as Payment date, Payment amount; Place of payment; Payment method (by card), etc.

Purpose for which the data is collected: to fulfill contractual obligations, as well as for tax and accounting purposes.

5. Personal data collected from users when registering on the site:

• three names;

• email;

• address;

• telephone;

In case you provide your personal data to the Administrator via Viber, Facebook or another social network, we inform you that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. In this regard, we recommend that you check these policies before sending us your personal data via these websites/applications.

Based on your explicit consent, the Administrator may also process other data relating to you, in cases where you voluntarily provide such data.

Purpose for which the data is collected: to fulfill contractual obligations, as well as for tax and accounting purposes.

6. Personal data collected from the data subject when individuals register to receive an online newsletter via the website:

• name and surname;

• email;

1. Description and scope of data processing

On our website you have the opportunity to subscribe to free newsletters.

The following data is collected during registration:

(1) IP address of the accessing computer

(2) Date and time of registration

As part of the registration process, your consent to the processing of the data is required and a reference is made to this privacy policy.

The data is not transferred to third parties in connection with the processing of the data for sending newsletters. The data is used only for sending the newsletter.

2. Legal basis for data processing

The legal basis for data processing after registration to receive a newsletter by the user is Art. 6, para. 1, lit. a) of the GDPR, after consent has been given. Upon receipt of the newsletter, a contractual relationship exists, Art. 6, Para. 1, Letter b) GDPR.

Purpose for which the data is collected: The data is collected and stored for the purpose of identifying the person and sending an online newsletter.

PURPOSES OF PROCESSING PERSONAL DATA

The Administrator collects and processes the personal data of individuals, which are provided directly by them or collected automatically, for the following purposes:

• For the normal functioning of all services on the Site;

• To establish contact with the person;

• To provide services offered on the Site;

• To fulfill the rights and obligations of the parties under the concluded agreement;

• To improve the efficiency and functionality of the Site;

• For accounting purposes;

• For statistical purposes and analyses to improve our services;

• To protect information security;

• To make sure that our clients are real and to prevent fraud;

• To send a newsletter if you express a wish;

Our legitimate interest in processing your personal data is caused by the need to ensure the protection and safeguarding of the legitimate interests of the Administrator and/or third parties, which is related to:

• ensuring the normal use of the Site by you and by other users, resolving disputes, identifying and preventing malicious actions.

• detecting and resolving technical or functionality problems, developing and improving the purpose of the Site.

• communicating with you, including electronically, on important issues related to the Services provided on the Site and/or the performance of concluded contracts.

• accepting and processing received inquiries, requests, complaints and other correspondence;

• exercising and protecting the rights and legitimate interests of the Administrator, including in court, and providing assistance in exercising and protecting the rights and legitimate interests of other users of the Site and/or affected third parties.

For these purposes, it may be necessary to process some or all of the above categories.

Our legal obligations include fulfilling obligations provided for by law to retain or provide information upon receipt of a relevant order from competent state or judicial authorities, ensuring the possibility of exercising the supervisory powers of competent state authorities, fulfilling obligations provided for in the General Data Protection Regulation related to notifying you of various circumstances related to your rights, the services provided or the protection of your data, etc. similar. For these purposes, it may be necessary to process some or all of the above categories.

Your data may be processed on the basis of your explicit consent, and the processing in this case is specific and to the extent and scope provided for in the relevant consent.


HOW LONG DO WE KEEP INFORMATION

When storing data, We apply the general principle of storing data in a minimum volume and for a period no longer than necessary to conclude and perform contracts with you and/or to provide the services on the Site, ensure their security and reliability and the requirements of the law.

The personal data of the users of the Site are stored in the following way:

Types of data Storage period Explanations

System logs (may contain information such as: date and time, IP address, URL, information about browser version and device) For a period of up to 1 /one/year Server logs, logs of security protection devices (Web Application Firewalls) and other devices falling into this category. These logs are necessary to identify technical problems and/or detect malicious actions.

Inquiries, requests and any correspondence, incl. incoming telephone calls. Correspondence is stored for a period of up to 1 /one/ year from the date of receipt of the message.

In order to ensure the reliability of the service, incoming telephone calls are stored for a period of up to 3 /three/ months. For registered users, this data is stored until the registration is terminated, unless we deem it unnecessary. In order to better communicate with you, We store and process data received through electronic forms on the Site, through calls to the Administrator by sending by regular or e-mail, as well as the result of this processing.

Cookies Up to 6 /six/ months from the last use of the Services For a description of the cookies used, see the "Cookie Policy"

• personal data related to the conclusion and execution of commercial transactions with you for the term of the contract and a reasonable period thereafter, related to the fulfillment of additional obligations arising from the contract.

• personal data contained in documents for tax and social security control /invoices, receipts, etc./ – 5 years after the expiration of the limitation period for repayment of the public obligation to which they are related.

The Administrator shall not store personal data in a form which permits identification of data subjects for longer than is necessary in relation to the purposes for which the data were collected.

The Administrator may store data for longer periods only if the personal data are processed for archiving purposes, for purposes in the public interest, scientific or historical research purposes and for statistical purposes, and only upon implementation of appropriate technical and organizational measures to safeguard the rights and freedoms of the data subject.

Personal data must be destroyed, in accordance with the principle of ensuring an appropriate level of security (Art. 5, para. 1 b. f) of the General Regulation) – including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical or organizational measures (“integrity and confidentiality”);

WHERE WE STORE YOUR PERSONAL DATA

Your personal data that we collect are stored on servers located in the European Economic Area.

We store your personal data for a period no longer than necessary to achieve the above-described purposes, or until the services and/or the Site are discontinued. Your personal data collected through the Site will be collected, processed, stored, disclosed and destroyed in accordance with applicable Bulgarian and European legislation.

SECURITY MEASURES

The Administrator has taken a wide range of technical and organizational measures to protect your personal data against loss or other forms of unlawful processing. All our employees are familiar with our security policy, as provided for in the Personal Data Protection Act. The personal information of our Users is accessible only to a limited number of qualified employees. We regularly check our security systems and processes. Although we take reasonable measures to maintain a secure site, electronic communications and databases are subject to errors, tampering and breaches and we cannot guarantee that such events will not occur and we will not be liable to visitors for any such events.

Access to personal data is limited to individually authorized and instructed personnel. We will inform you at any time about changes in the processes for protecting confidentiality and data security, including practices and policies, by always up-to-date information in this section. You can request information at any time about where and how your data is stored, protected and used.

In the event that your data is compromised, we will notify you and the competent supervisory authority within 72 hours by email with information about the extent of the breach, the data affected, any impact on the service and the action plan for measures to limit any possible harmful effects on data subjects.

In case you wish to receive detailed information about the technical and organizational measures, please do not hesitate to contact us.


WHO WE SHARE AND DISCLOSE YOUR PERSONAL DATA TO

The administrator must ensure that personal data is not disclosed to unauthorized third parties, including family members, friends, government authorities, even investigators, if there is a reasonable suspicion that it is not required in accordance with the established procedure. All employees/workers must be cautious when asked to disclose stored personal data about another person to a third party. It is important to consider whether or not the disclosure of the information is related to the needs of the activity carried out by the organization. Employees must be given special training and periodic briefings in order to avoid the risk of such a breach.

All requests from third parties to provide data must be supported by appropriate documentation and all such disclosures of data must be coordinated with the data protection officer/Data Protection Officer, who must provide an opinion.

Personal data will be provided to the competent public authorities in and on the occasion of the exercise of their official powers.

Sometimes we record some of the information on our servers Sometimes we record some of the information on our servers or send it to third parties. This is necessary in order to provide you with the best experience when using our services, and sometimes in general, in order to ensure the availability and accessibility of the service you use.

Your personal data will not be transferred to third parties unless:

● you provide us with your explicit, informed and freely given consent;

● the third parties in question provide us with support under a contract for the purpose of providing our products or services;

● this is required by law or by virtue of an official act of a public authority;

● this is necessary in connection with the sale of a business, our company or its assets, which are subject to confidentiality.

Our employees and partners are duly informed of the importance of their obligation to maintain confidentiality and are responsible for fulfilling this obligation.

For any other purposes not expressly mentioned in this Policy, we will request your explicit consent, identifying our partners as well as the purposes of the transfer and sharing of data.

WEB ANALYSIS

We need statistical information about the use of our website in order to make it more accessible, to perform reach measurements and to conduct market research.

For this purpose, we use the web analysis tools described in this section.

Google Analytics is offered by GoogleInc., 1600 AmphitheatreParkway, MountainView, CA 94043, USA ("Google"). We use GoogleAnalytics with the additional function of anonymizing IP addresses offered by Google. Google shortens the IP address within the EU and only in exceptional cases in the USA, in both cases only shortened IP addresses are recorded.

Our website uses the services provided by Google Analytics to analyze and regularly improve the use of our website. The analysis of your user activity on the website is carried out using cookies, which are stored on your computer, generate information about your user behavior and transmit it to Google.

Under normal circumstances, a shortened version of your IP address is sent to Google servers, but in exceptional cases the full IP address may also be sent. Google uses this information on our behalf to create a report on user activity on our website. The IP address identified by Google Analytics is not combined with other Google data.

If you activate the anonymous mode on this website, your IP address will be truncated within the member states of the European Union or in other signatory states to the Agreement on the European Economic Area. In exceptional cases, the full IP address may be transferred to a Google server in the USA and truncated there. Google uses this information on behalf of the operator of this website to analyse your use of the website, to compile reports on website activity and to provide other services to the operator of the website relating to website and internet usage.

You may refuse the use of cookies by selecting the appropriate settings on your browser, but please note that if you do this you may not be able to use the full functionality of this website

Terms of Use for Users:

http://www.google.com/analytics/terms/de.html,

Data Privacy Policy:

https://policies.google.com/privacy?hl=bg


DATA SUBJECTS' RIGHTS UNDER GDPR

Right of access to your personal data. You have the right to request and obtain from the Controller confirmation as to whether personal data concerning you is being processed by sending a free text request by e-mail.

Right to rectification of personal data: if you find that the personal data we process about you are inaccurate, you have the right to have us correct these personal data. You may at any time correct or complete inaccurate or incomplete personal data relating to you by sending a request to the Administrator by email in free text.

Right to erasure of personal data (the right to “be forgotten”)

You have the right to request from the Administrator the erasure of some or all of the personal data relating to you, and the Administrator is obliged to erase them without undue delay where one of the following grounds applies:

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

• You withdraw your consent on which the processing of the data is based and there is no other legal basis for the processing;

• You object to the processing of the personal data relating to you and there are no overriding legal grounds for the processing;

• the personal data have been processed unlawfully;

• the personal data must be erased for compliance with a legal obligation under EU or Member State law to which the Controller is subject;

The Controller is not obliged to erase personal data if it stores and processes them:

• for the exercise of the right to freedom of expression and the right to information;

• for compliance with a legal obligation which requires processing under EU or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in it;

• for reasons of public interest in the area of public health;

• for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes;

• for the establishment, exercise or defence of legal claims.

To exercise your right to be forgotten, you must send an email request for the deletion of your personal data that the Administrator processes, using a free text request.

Right to restriction of processing: in certain circumstances, such as if you doubt the accuracy of your personal data or you have objected to our legitimate purpose for processing your personal data, you have the right to request that we restrict the processing of your personal data until a solution is found. You have the right to request that the Administrator restrict the processing of data relating to you by sending us a free text request by email when:

• you contest the accuracy of the personal data, for a period that allows the Administrator to verify the accuracy of the personal data;

• the processing is unlawful, but you do not want the personal data to be deleted, but only their use to be restricted;

• the Administrator no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims;

• You have objected to the processing pending verification of whether the legitimate grounds of the Administrator override your interests.

Right to data portability. If you have consented to the processing of your personal data or the processing is necessary for the performance of a contract with the Administrator, or if your data is processed by automated means, you may:

• request the Administrator to provide you with your personal data in a machine-readable format and to transfer them to another Administrator;

• request the Administrator to directly transfer your personal data to a controller specified by you, where technically feasible.

Right to lodge a complaint with a supervisory authority: you have the right to lodge a complaint with a supervisory authority regarding our processing of your personal data.

The data subject also has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her;

Right to judicial or administrative redress in the event that the rights of the data subject have been violated.

You can exercise all rights by contacting us via email: welcome@lovebiotica.com. We will contact you and inform you in detail about the procedure for exercising your rights.