Privacy policy
PRIVACY POLICY
(Notification on the Processing of Personal Data)
1. Data Controller
Ай-Ком 24 OOD, operating under the trade name NOA Pilates (“the Company,” “We,” “Controller”), conducts its activities in compliance with applicable Bulgarian and European data protection legislation, including Regulation (EU) 2016/679 (“GDPR”) and the Bulgarian Personal Data Protection Act.
Controller Details:
-
Name: Ай-Ком 24 OOD
-
Trade Name: NOA Pilates
-
Company ID: 207998272
-
Registered Address: 50 Peyyo K. Yavorov Blvd., Sofia, Bulgaria
-
Email: info@noapilates.com
-
Website: www.noapilates.com
This Privacy Policy aims to inform customers and visitors of the online store about which personal data we process, for what purposes, on what legal basis, for how long, with whom we share it, and what rights you have.
For the purposes of this policy, a Customer is any individual who:
-
visits or uses the website;
-
places an order;
-
creates a customer account, if such functionality is available;
-
submits an inquiry, complaint, withdrawal, request, or other correspondence;
-
enters or wishes to enter into pre-contractual or contractual relations with us.
2. What Personal Data We Process
Depending on your use of the website and our services, we may process the following categories of personal data:
2.1. Identification and Contact Data
-
First and last name
-
Phone number
-
Email address
-
Shipping address
-
Billing address, if applicable
-
Company information, if the order is placed by a legal entity
2.2. Order and Payment Data
-
Information about ordered products
-
Order value
-
Selected delivery method
-
Selected payment method
-
Payment status
-
Order status
-
Cash on delivery information, if selected
-
Limited transaction data for card payments provided by the payment provider, such as payment status, transaction ID, card type, and last four digits
We do not store full debit or credit card data; card payments are processed through the secure environment of the respective payment provider.
2.3. Communication Data
-
Content of messages, emails, forms, chat, phone calls, or other correspondence
-
Information provided in connection with complaints, withdrawals, returns, or inquiries
2.4. Technical and Usage Data
-
IP address
-
Device type
-
Browser and operating system
-
Language settings
-
Date and time of visit
-
Pages viewed
-
Actions on the website
-
Traffic source
-
Logs and data from cookies, pixels, tags, and similar technologies
2.5. Marketing and Advertising Data
When applicable and with a valid legal basis, we may process data regarding:
-
Interaction with ads
-
Adding products to cart
-
Initiated but unfinished orders
-
Completed purchases
-
Remarketing and measuring ad performance via Meta, Google, and similar platforms
2.6. Customer Account Data
If registration/customer account functionality is enabled, we may process:
-
Login credentials
-
Order history
-
Preferences and settings
-
Saved addresses in the account
3. How We Collect Personal Data
We collect personal data:
-
during registration and/or use of the website
-
when placing an order, with or without registration
-
when completing forms, including contact, complaint, withdrawal, or inquiry forms
-
through communication via email, phone, social media, or other channels
-
automatically via cookies, pixels, log files, and similar technologies
-
from suppliers and partners, when necessary for fulfilling orders, processing payments, delivery, security, analytics, or advertising
-
in limited cases, from public sources or third parties when legally permissible and necessary
Our website may collect data in log files, including IP address, ISP, browser, operating system, date and time of visit, visited pages, and website actions.
4. Do We Process Special Categories of Personal Data?
We generally do not process special categories of personal data under GDPR, such as health data, biometric data, political opinions, religious beliefs, sexual life, or other sensitive data.
Please do not send us such data unless expressly necessary and lawful.
5. Purposes of Processing Personal Data
We process your personal data for the following purposes:
-
Accepting, confirming, and fulfilling orders
-
Delivering ordered products
-
Processing payments, including cash on delivery and card payments
-
Issuing invoices and fulfilling accounting and tax obligations
-
Communicating with customers regarding orders, deliveries, complaints, withdrawals, and inquiries
-
Providing customer support
-
Managing customer accounts, if available
-
Maintaining website security and preventing misuse, fraud, and unauthorized access
-
Technical support, website improvement, and usage analysis
-
Measuring the performance of advertising campaigns
-
Remarketing, audience creation, and showing more relevant ads via Meta, Google, and similar platforms
-
Establishing, exercising, or defending legal claims
-
Fulfilling legal obligations to public authorities, courts, regulators, and other competent institutions
6. Legal Basis for Processing
Personal data is processed on one or more of the following bases:
6.1. Contract Performance / Pre-contractual Steps
We use data as necessary to:
-
Accept and fulfill orders
-
Organize delivery
-
Service the order
-
Communicate regarding orders or inquiries
6.2. Legal Obligation
We process data as necessary to:
-
Meet accounting and tax obligations
-
Issue and store accounting documents
-
Comply with consumer protection laws
-
Assist competent authorities as required by law
6.3. Legitimate Interest
We may process data based on legitimate interest when necessary to:
-
Protect the website, business, and customers
-
Prevent fraud and abuse
-
Establish, exercise, or defend legal claims
-
Conduct internal analysis and improve the website and services
-
Limited administrative and organizational management of business operations
6.4. Consent
When required, we process data based on your consent, for example:
-
Marketing cookies and pixels
-
Certain analytics and advertising technologies
-
Sending marketing messages when applicable
-
Other legally consent-based cases
You can withdraw your consent at any time without affecting the lawfulness of processing before withdrawal.
7. Cookies, Meta Pixel, Google Ads, and Similar Technologies
Our website uses cookies, pixels, tags and similar technologies, which may be:
- Strictly necessary – for website functionality, cart, security and order processing
- Analytical – for traffic measurement and website improvement
- Marketing – for ad measurement, remarketing, audience creation and conversion tracking
We use the following technologies:
- Meta/Facebook Pixel – a browser-based technology, activated only after your consent via the cookie banner
- Meta Conversions API (CAPI) – a server-side technology that sends transaction and behavioural data directly from our server to Meta. CAPI operates independently of your cookie consent choice and is applied on the basis of contract performance and legitimate interest under Art. 6(1)(b) and (f) GDPR, for the purposes of measuring and optimising advertising campaigns, fraud prevention and service improvement
- Google Ads / tags / analytics tools – activated after your consent
- Other similar analytics and advertising technologies – activated after your consent where applicable
These technologies may collect information about your behaviour on the website — pages viewed, products added, orders initiated and purchases completed — for campaign measurement and optimisation purposes.
Browser-based analytical and marketing technologies are activated only after your consent via the cookie banner/settings. Meta Conversions API (CAPI) operates at server level on the basis of legitimate interest and contract performance, independently of cookie consent.
Further information may also be provided in a separate Cookie Policy if published on the website.
8. Data Retention
We retain personal data only as long as necessary for the purposes collected, unless longer retention is required by law.
Typical retention periods include:
-
Order, delivery, and customer service data – up to 5 years after relationship ends, unless a longer legal period applies
-
Accounting and tax documents – up to 10 years or as required by law
-
Correspondence, complaints, requests, and notifications – up to 5 years for legal protection
-
Technical logs and security data – typically up to 12 months, unless specific incidents require longer
-
Consent-based data – until withdrawal of consent or cessation of processing need
-
Cookies and consent settings – per the technology’s applicable duration or until you change your choice
If legal, administrative, or other proceedings arise, data may be retained until final resolution and expiration of appeal periods, if necessary.
9. Data Sharing
We may share personal data only when necessary and lawful with:
-
Shopify – for managing the online store
-
Payment service providers – for card payment processing
-
Courier and logistics companies – for order delivery
-
Accounting, legal, and consulting providers
-
IT and hosting providers, including security and support
-
Analytics and advertising providers, including Meta and Google, where applicable
-
Government authorities, courts, regulators, and law enforcement, as required by law
-
Other processors or recipients when necessary to achieve the purposes outlined in this policy
We do not sell your personal data.
10. International Data Transfers
Some of our providers, including e-commerce, cloud, analytics, and advertising providers, may process personal data outside the European Economic Area (EEA).
When such transfers occur, we ensure an appropriate level of protection through legal mechanisms, including:
-
Adequacy decisions, where applicable
-
Standard contractual clauses
-
Other appropriate technical and organizational measures
11. Data Security
We implement appropriate technical and organizational measures to protect personal data against:
-
Unauthorized access
-
Unauthorized disclosure
-
Loss
-
Destruction
-
Alteration
-
Misuse
Measures may include:
-
Restricted system access
-
Protection of admin panels and accounts
-
Secure connections
-
Security logs and systems
-
Backup and restoration
-
Confidentiality agreements with providers and partners
However, no system can guarantee absolute security.
12. Automated Decision-Making
We currently do not perform fully automated decision-making that produces legal effects or similarly significant impacts on you.
13. Your Rights
Under applicable law, you have the following rights:
-
Right to be informed
-
Right of access
-
Right to rectification
-
Right to erasure (“right to be forgotten”), when applicable
-
Right to restriction of processing
-
Right to object to processing based on legitimate interest
-
Right to data portability, when applicable
-
Right to withdraw consent when processing is consent-based
-
Right not to be subject to decisions based solely on automated processing, when applicable
-
Right to lodge a complaint with a supervisory authority
To exercise your rights, contact: info@noapilates.com
We may request reasonable identification information to protect your data and verify the request comes from the correct person.
We will respond without undue delay, usually within one month, unless law allows extension for complex cases.
14. Supervisory Authority
If you believe your personal data has been processed in violation of applicable law, you have the right to file a complaint with:
Commission for Personal Data Protection
-
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
-
Email: kzld@cpdp.bg
-
Website: www.cpdp.bg
-
Phone: +359 2 91-53-519
15. Changes to this Policy
In case of material changes in how we process personal data, data categories, technologies used, or applicable legal requirements, we will update this Privacy Policy and publish the new version on the website.
The current version will always be available at: [Privacy Policy]
16. Contact
For questions regarding this Privacy Policy or personal data processing, contact us:
I-Kom 24 Ltd. / NOA Pilates
Company ID: 207998272
Address: 50 Peyyo K. Yavorov Blvd., Sofia, Bulgaria
Email: info@noapilates.com
Website: www.noapilates.com