Personal Data Protection Policy

This Personal Data Protection Policy (hereinafter "the Policy") describes how PRATCO (hereinafter "the Controller") collects, processes, stores, and protects the personal data of users of the website pratco.co.

The Policy is drafted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation — GDPR) and the Personal Data Protection Act of the Republic of Bulgaria.

By using the website and/or providing personal data, the User confirms that they have read and understood this Policy.

Note: This website is currently under development. Controller details will be updated upon company registration.

The Data Controller within the meaning of Art. 4(7) of the GDPR is:

• Company name: [Company name] (registration pending)
• UIC (EIK): [UIC number]
• Registered address: [Address]
• Email: info@pratco.co

The above details will be updated upon registration in the Commercial Register.

When using the website and placing orders, the Controller may collect and process the following categories of personal data:

• Identification data: first name and last name;
• Contact data: email address, phone number, delivery address;
• Order data: order history, ordered products, amounts;
• Technical data: IP address, browser type and version, operating system, device information;
• Navigation data: pages visited, visit duration, actions on the website.

The Controller does not collect or process special categories of personal data (sensitive data) within the meaning of Art. 9 of the GDPR.

The Controller processes personal data for the following purposes:

• Processing, fulfillment, and delivery of orders;
• Communication with the User regarding orders, deliveries, and complaints;
• Providing customer support;
• Compliance with legal obligations (tax, accounting);
• Improving the functionality and security of the website;
• Sending marketing communications (only with the User's explicit consent);
• Protection of the Controller's legitimate interests, including fraud prevention.

Personal data processing is carried out on the following legal grounds, pursuant to Art. 6(1) of the GDPR:

• Performance of a contract (Art. 6(1)(b)): processing is necessary for the performance of the distance sales contract;
• Legal obligation (Art. 6(1)(c)): processing is necessary for compliance with tax, accounting, and other legal obligations;
• Legitimate interest (Art. 6(1)(f)): for improving services, website security, and fraud prevention;
• Consent (Art. 6(1)(a)): for marketing communications and non-essential cookies.

The Controller retains personal data for the periods necessary to fulfill the processing purposes:

• Order and billing data: 5 years from the date of the transaction — pursuant to the Accountancy Act and tax legislation;
• Communication data: 3 years after last contact;
• Marketing preferences: until consent is withdrawn by the User;
• Technical data and logs: 12 months.

After the specified periods expire, data is irreversibly deleted or anonymized.

Pursuant to Chapter III of the GDPR (Articles 15–22), the User has the following rights:

• Right of access (Art. 15): to receive confirmation of whether personal data is being processed and to obtain a copy thereof;
• Right to rectification (Art. 16): to request correction of inaccurate or incomplete data;
• Right to erasure (Art. 17): to request deletion of personal data ("right to be forgotten");
• Right to restriction of processing (Art. 18): to request restriction under certain conditions;
• Right to data portability (Art. 20): to receive data in a structured, commonly used, and machine-readable format;
• Right to object (Art. 21): to object to processing based on legitimate interest;
• Right to withdraw consent: at any time, without affecting the lawfulness of prior processing.

To exercise these rights, please send a request to: info@pratco.co. The Controller shall respond within 30 days of receiving the request.

The website uses the following categories of cookies:

• Strictly necessary cookies: ensure the basic functionality of the website (cart, navigation). These do not require consent;
• Analytical cookies: collect anonymous statistics about website usage. Activated only with the User's explicit consent;
• Functional cookies: remember User preferences (language, currency). Activated only with the User's explicit consent.

The User may manage cookies through their browser settings or via the cookie banner displayed on the first visit. Withdrawing consent does not affect cookies processed prior to the withdrawal.

The Controller may transfer personal data to the following categories of recipients, insofar as necessary for the fulfillment of processing purposes:

• Courier companies (Speedy, Econt): name, address, phone number — for order delivery;
• Hosting and cloud providers: for data storage and processing in a secure environment.

All data recipients are required to ensure an appropriate level of protection in accordance with the GDPR. Data is not transferred to third countries outside the EU/EEA unless the recipient ensures an adequate level of protection within the meaning of Articles 45–46 of the GDPR.

The Controller reserves the right to amend and supplement this Policy. In the event of significant changes, Users will be notified via a notice on the website or by email. The current version of the Policy is always available on the website.

For questions regarding personal data processing or to exercise your rights, please contact us:

Email: info@pratco.co

If you believe your rights have been violated, you have the right to lodge a complaint with:

Commission for Personal Data Protection (CPDP)
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Website: www.cpdp.bg
Email: kzld@cpdp.bg