GENERAL TERMS AND PERSONAL DATA (GDPR)

PRIVACY AND PERSONAL DATA PROTECTION POLICY

On 25.05.2018, Regulation (EU) 2016/679 entered into force on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (General Regulation on protection of personal data - GDPR), which introduced many significant changes compared to the current legal framework and set increased requirements for subjects in the personal data protection system. The rules presented in this policy on personal data administration are fully complied with with the above regulation.

The rules in the Privacy and personal data protection policy provide information on how EXTRAVAGANCE DESIGN LTD, registered in the Commercial Register for non-profit legal entities with UIC 204266160, with headquarters and management address: the town of Burgas, No. 14 Vasil Levski Str., Ultima building, fl. 2, (hereinafter referred to as ADMINISTRATOR) collects, uses, discloses and protects the personal data of users and customers (hereinafter referred to as DATA SUBJECT) on the following website: http://extravagancedesign.com/. There is a detailed statement regarding how personal data is processed, the types of personal data that are collected, the purpose of using the collected personal data, the access of third parties to this data, as well as the options that users and customers have in relation to the use of personal data provided by them. The procedures regulating the collection and processing of the above-described information identifying an individual user and providing the opportunity to contact them are described.

As a personal data controller, the ADMINISTRATOR has the right to collect and process the personal data provided by the DATA SUBJECT, subject to the requirements of Regulation (EU) 2016/679 (General Data Protection Regulation) and The Personal Data Protection Act. The regulation governs the use and security of personal data with the aim of better protection of natural persons. The collection of personal data by the ADMINISTRATOR is carried out in a transparent and secure manner, thus offering, respectively providing services, according to the personal needs of the DATA SUBJECT.

DEFINITIONS

"Personal Data" means any information relating to an identified natural person or an identifiable natural person.

"Data subject" is a natural person who can be identified, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or by one or more characteristics specific to the physical, physiological, genetic , the psychic, mental, economic, cultural or social identity of that natural person.

"Processing" is any operation or set of operations performed on personal data or a set of personal data by automatic or other means, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transfer, distribution or other form of providing access to the data, arrangement or combination, restriction, deletion or destruction.

"Administrator" is a natural or legal person, public body, agency or other structure that alone or jointly with others determines the purposes and means of personal data processing.

PERSONAL DATA PROCESSED

Personal data that is provided directly is processed and used for the purposes specified in this Privacy and Personal Data Protection Policy. The provision of personal data when using the ADMINISTRATOR's website is not mandatory, except in cases where the DATA SUBJECT takes action for voluntary registration.

The information that shall be provided in order for the DATA SUBJECT to request the preparation of a personal offer or send a message through the contact form on the website, and through which you can be personally identified, is the following:

Directly through the website http://extravagancedesign.com/: first and last name, telephone, e-mail, address of the object, specifics of the object (square footage, adjoining premises, etc.)

Through Google Analytics - data on traffic and User behavior.

Through the Facebook Pixel - data on the traffic and behavior of the Users to the website of EXTRAVAGANCE DESIGN LTD.

Subscription form for an electronic newsletter - the data collected through it are: first and last name, gender, e-mail address and place of residence. The form is available on the website and on the Facebook page of EXTRAVAGANCE DESIGN LTD.

It is possible that additional information may be requested from the ADMINISTRATOR, but only with the express consent of the DATA SUBJECT or in the event that this information is necessary for the performance of the requested service. The DATA SUBJECT is the sole owner of his personal data, therefore only they can provide them.

By using the service of the ADMINISTRATOR, the DATA SUBJECT expressly consents to the collection and processing of his personal data, while at the same time guaranteeing their accuracy and reliability. The DATA SUBJECT declares that they are aware of the type of personal data that is collected and processed, the purposes for which it will be used, as well as their right to access, correct or delete the collected personal data.

COLLECTION OF PERSONAL DATA PURPOSES

The ADMINISTRATOR processes personal data only for the purposes described below:

Collection of personal information for the purpose of providing answers to requests and inquiries of the DATA SUBJECT. For example: identity verification; sending messages related to the services provided; providing access to certain functionalities of the provided services; participation in online surveys; for marketing activities;

Use of the provided personal data for the purpose of communication with the subject of personal data regarding the services offered by the company;

To measure and track statistical dependencies on user behavior on the site, in order to improve the services provided;

For marketing purposes related to activities on the relevant website.

RIGHTS OF THE DATA SUBJECT IN RELATION TO THE PROCESSING OF PERSONAL DATA

DATA SUBJECT has the right to refuse to have their personal data used for commercial, advertising or marketing purposes. If DATA SUBJECT does not wish their personal data to be used, they may contact an employee of the ADMINISTRATOR through the contact form located on his website.

DATA SUBJECT has the right to request access and receive information regarding the personal data stored for them, as well as information regarding the purposes of processing, categories of personal data, recipients to whom personal data may be disclosed and etc.

At any time, DATA SUBJECT has the right to request the correction of inaccurate data related to them, as well as the completion of incomplete data, if this is appropriate and/or necessary in view of the purpose for which the data is processed.

DATA SUBJECT has the right to file a complaint with the Commission for the Protection of Personal Data, in case of violation of rights or unlawful processing of their personal data.

DATA SUBJECT has the right at any time to withdraw their consent to the use of personal data that they have previously provided. In this case, the withdrawal of consent to the use or processing of personal data may result in the inability of the DATA SUBJECT to benefit from certain products or services provided by the ADMINISTRATOR.

If they consider that they do not want the ADMINISTRATOR to process their personal data, DATA SUBJECT has the right to be "forgotten", i.e., you may at any time request that their personal data be deleted if any of the following grounds exist:

Their personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

In the event that they have withdrawn their consent to the processing of his personal data;

If their personal data is processed unlawfully;

In case they objected to the processing of their personal data;

Other cases provided for in the legislation governing the protection of personal data.

If DATA SUBJECT takes advantage of their right to be "forgotten" and their personal data is deleted, this is an irreversible process and cannot be subsequently recovered. In cases where the DATA SUBJECT exercised their right to be "forgotten", regulated in Art. 17 Regulation (EU) 2016/679, the ADMINISTRATOR only deletes the subject's personal data, but not publicly available publications that the DATA SUBJECT has made in forums, comments on publications and articles on media sites, posts and blogs.

All listed rights may be exercised by the DATA SUBJECT by submitting a written application in free form to the following email address: https://extravagancedesign.com/kontakti/, containing at least the following:

Email and other data to identify the relevant natural person;

Description of the request;

Preferred form of providing the information;

PRINCIPLES FOR PROCESSING PERSONAL DATA

When processing personal data, the ADMINISTRATOR ensures:

Lawful, fair and transparent processing;

Collection for specific, explicitly stated and legitimate purposes. Processing in a manner incompatible with these purposes is not permitted;

The personal data used are appropriate, related to and limited to what is necessary in relation to the purposes for which they are processed;

Reliability of personal data and their up-to-date maintenance;

Storage in a form that allows the identification of the affected persons for a period no longer than is necessary for the purposes for which the personal data are processed;

Processing in a way that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures.

The ADMINISTRATOR performs the activities related to the processing of personal data:

After the express consent of the DATA SUBJECT has been obtained;

In order to legitimately carry out business activities and problem-free customer service;

In order to fulfill its obligations to the data subject.

ACCESS TO DATA

ADMINISTRATOR provides DATA SUBJECT access and opportunity to review, correct, supplement or delete the personal data they have provided at any time.

PERSONAL DATA AUTOMATICALLY COLLECTED BY THE ADMINISTRATOR

When visiting the pages of the ADMINISTRATOR, the web server automatically recognizes and collects the IP address of the DATA SUBJECT, which is assigned by their Internet service provider. In this hypothesis, DATA SUBJECT is not personally identifiable.

Summary information - Log Files - THE ADMINISTRATOR receives information from log files (set of system information about the user) regarding: IP address; ISP (Internet Service Provider); the browser that the DATA SUBJECT uses when visiting a group site (such as Google Chrome, Internet Explorer and Mozilla Firefox); the time the DATA SUBJECT spent on a given site and which pages on the site they visited. The information contained in these files includes a "Cookie".

"Cookie" is a data file located on the device of the DATA SUBJECT when they visit, browses and uses the website of the ADMINISTRATOR. They allow the actions and preferences of the DATA SUBJECT to be saved for a certain period of time, so that they do not have to re-enter each time they visit the website or when moving from one page to another.

"Cookies" can be disabled from the DATA SUBJECT's browser settings. The DATA SUBJECT should bear in mind that some functionalities of the website may not work properly when disabled.

WEB ANALYSIS

ADMINISTRATOR uses Google Analytics to collect statistical information about the DATA SUBJECT - the country in which it is located; language; online behavior; the browser used, etc. ADMINISTRATOR collects the indicated data to analyze what type of users and in what way they use the website, which helps it to improve the user experience. This information cannot lead to the identification of the DATA SUBJECT.

DATA SUBJECT can refuse the use of their data by Google Analytics by downloading and installing the following plug-in: Google Analytics opt-out browser add-on.

By agreeing to use the service, DATA SUBJECT expresses their express consent to the ADMINISTRATOR's use of Google Analytics on the website and declares that they have been given the opportunity to opt out of Google Analytics.

PROTECT PERSONAL DATA ACTIONS

In order to prevent unauthorized access or disclosure, as well as to ensure proper use of personal data, ADMINISTRATOR implements appropriate technical and organizational measures to protect the data it collects and processes.

When processing payment information, in order to make the shopping and payment process as calm and secure as possible for DATA SUBJECT, ADMINISTRATOR uses Secure Sockets Layer. Secure Sockets Layer or SSL is a special cryptographic Internet client-server protocol that protects data transmission from malicious interference.

Maintaining the confidentiality and security of the DATA SUBJECT's personal information is of the highest priority and the ADMINISTRATOR provides access to it only to those employees who need to come into contact with it in order to fulfill their role and enable the ADMINISTRATOR's services to be provided. Provision of personal data can only be made in the event of a request from the relevant state bodies and institutions, according to the order and in cases defined in the current Bulgarian legislation.

ADMINISTRATOR stores personal information provided by DATA SUBJECT for as long as is necessary to ensure the effective functioning of its website. ADMINISTRATOR guarantees that the information provided and collected by them is not sold or made available for remunerative use to anyone, without the personal consent of DATA SUBJECT.

ADMINISTRATOR makes every effort to protect the personal data provided by DATA SUBJECT.

DURATION OF STORAGE OF PERSONAL DATA

ADMINISTRATOR stores the personal data of the legal representatives of legal entities - parties to a contract or the natural persons-partners or clients under a contract with the company indefinitely, for the purposes of protecting the legitimate interest of EXTRAVAGANCE DESIGN LTD and fulfilling its legal obligations to state bodies and institutions.

ADMINISTRATOR stores the personal data of persons who have made an inquiry through the form on the Company's website - http://extravagancedesign.com, until the express withdrawal of the given consent by the individual.

ADMINISTRATOR notifies you in the event that the data storage period needs to be extended in order to fulfill a legal obligation or in view of legitimate interests of the ADMINISTRATOR or otherwise.

ADMINISTRATOR stores the personal data that it is necessary to keep under the law

of the applicable legislation for the relevant stipulated term, which may exceed the term of the contract.

PERSONAL DATA PROVISION

ADMINISTRATOR may share personal data in the following cases:

To ensure compliance with a statutory obligation;

To prevent fraud or to ensure network and information security of its systems.

VIOLATIONS

A data security breach occurs when personal data for which the ADMINISTRATOR is responsible is affected by a security incident resulting in a breach of the confidentiality, availability or integrity of the personal data. In this sense, a data breach occurs when there is a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of data that is transmitted, stored or otherwise processed.

EVALUATION OF VIOLATIONS. NOTICE OF VIOLATIONS

After an employee of the ADMINISTRATOR receives information about a breach, they shall determine whether the particular event constitutes a personal data breach and notify the governing bodies of the ADMINISTRATOR about the event (in case they are not aware).

ADMINISTRATOR shall document any personal data security breach, including the facts related to the breach, its consequences and the actions taken to address it.

CONTROL

In the event of a breach of personal data security, where there is a possibility of creating a risk to the rights and freedoms of natural persons, the ADMINISTRATOR, without undue delay and when feasible - no later than 72 hours after becoming aware of it, notifies the Personal Data Protection Commission of the violation.

Control over the activities carried out by the ADMINISTRATOR related to personal data is exercised by the following administrative body:

Commission for Personal Data Protection

Address: the city of Sofia 1431, No. 15 Acad. Ivan Evstratiev Geshov Blvd.

Tel: + 359 2 915 35 18; Fax: + 359 2 915 35 25

El. mail: [email protected], [email protected]; Website: www.cpdp.bg

PRIVACY POLICY AMENDMENT

The rules described above can be amended unilaterally by the ADMINISTRATOR, for which they notify the DATA SUBJECT in an appropriate manner.

DATA SUBJECT agrees that any addition and amendment to the rules described above will be effective against them after notification by the ADMINISTRATOR and in the event that they do not object within 7 days to the amendments and additions made.

All statements regarding amendments and additions to the rules described above are published by the ADMINISTRATOR in an appropriate place on its website: http://extravagancedesign.com/.