Privacy Policy.
This page explains what personal data we collect when you visit lamperia24.com, place an order, or write to us — and what your rights are under the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the Bulgarian Personal Data Protection Act.
Plain language. No dark patterns. If something is unclear, write to [email protected] and we'll explain.
1. Who is the data controller
The controller of your personal data is:
| Company | "LAMPERIA24" EOOD (placeholder — to be confirmed) |
|---|---|
| EIK / UIC | [pending registration] |
| VAT (DDS) | BG[pending] |
| Registered office | Burgas, Bulgaria (full address to be confirmed) |
| Contact | [email protected] |
We do not currently have a designated Data Protection Officer (DPO) — the operation does not meet the GDPR Art. 37 thresholds. All data-protection enquiries go to [email protected].
2. What data we collect, and why
2.1 When you place an order
| Data | Purpose | Legal basis | Kept for |
|---|---|---|---|
| Name, delivery address, phone | To fulfil the order, hand to courier | Contract (Art. 6.1.b) | 10 years (BG accounting law) |
| Order confirmation, dispatch notice, after-sale support | Contract (Art. 6.1.b) | 10 years | |
| Order details (items, total, VAT) | Invoicing, tax compliance | Legal obligation (Art. 6.1.c) | 10 years |
| Payment card / IBAN | Never reaches us. Handled directly by Stripe (PCI-DSS Level 1). | — | — |
2.2 When you subscribe to the newsletter
| Data | Purpose | Legal basis | Kept for |
|---|---|---|---|
| Email + timestamp + consent flag | Sending our newsletter (max 2× / month) | Consent (Art. 6.1.a) | Until you unsubscribe |
2.3 When you browse the site
| Data | Purpose | Legal basis | Kept for |
|---|---|---|---|
| IP address (anonymised), browser type | Security, abuse prevention, performance via Cloudflare CDN | Legitimate interest (Art. 6.1.f) | 24h (Cloudflare default) |
| Server access logs | Debugging, security audits | Legitimate interest | 30 days, then auto-deleted |
| Cookies (functional + analytics) | See Cookie Policy | Consent (analytics) / Necessity (functional) | See cookie table |
2.4 When you contact us
Emails you send to [email protected] are stored on our mail server and kept for as long as needed to handle the enquiry — typically 2 years, then deleted.
3. Who we share data with (processors)
We don't sell or rent your data. Ever. We do share it with the following processors, strictly to deliver the service you ordered:
| Processor | What they get | Why | Location |
|---|---|---|---|
| Stripe Payments Europe Ltd. | Card data, amount, order ID, email | Process payment | EU (Ireland) |
| Resend (resend.com) | Email, name (if provided) | Newsletter + transactional email delivery | EU + US (SCC) |
| Cloudflare | IP address, headers | CDN, DDoS protection | Global (SCC) |
| DPD / Speedy | Name, address, phone | Delivery | EU |
| Hosting (Cloudzy, Amsterdam) | Server access logs | Web hosting | EU (Netherlands) |
All processors located outside the EU are bound by Standard Contractual Clauses (SCC) approved by the European Commission.
4. Your rights under GDPR
You have the following rights regarding your personal data. To exercise any of them, write to [email protected] — we respond within 30 days (usually within 48 hours).
- Right of access — get a copy of all data we hold on you.
- Right to rectification — correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — we delete your data, unless we're legally required to keep it (e.g. order records for tax purposes — 10 years).
- Right to restriction of processing — temporarily stop processing while a dispute is resolved.
- Right to data portability — receive your data in a machine-readable format (JSON / CSV).
- Right to object — to processing based on legitimate interest, including direct marketing (newsletter unsubscribe).
- Right to withdraw consent — at any time, with no effect on prior lawful processing.
- Right to lodge a complaint — with the Bulgarian Commission for Personal Data Protection (KZLD / CPDP) at cpdp.bg, address: Sofia 1592, "Prof. Tsvetan Lazarov" Blvd 2, email [email protected].
5. How we keep data safe
- TLS 1.3 everywhere — no plain HTTP.
- HSTS preload submitted (browsers always use HTTPS for our domain).
- SSH key-only access to servers, no password logins.
- Stripe handles all card data — we never see or store it.
- Database backups encrypted at rest.
- Server access logs auto-deleted after 30 days.
6. Children
This site is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a minor has provided us with personal data, write to [email protected] and we'll delete it immediately.
7. Changes to this policy
We update this page when our practices or applicable law change. Material changes are announced at least 30 days in advance via newsletter (for subscribers) and a banner on the homepage. Older versions are kept for reference — write to us if you want to see one.
8. Contact
Privacy questions, access requests, complaints — all to: [email protected].
If you prefer regular mail: send to the registered office address listed in §1 above.
Last updated: 21 May 2026 · Version 1.0 (draft)