top of page

Personal Data Protection Policy

Information about the personal data controller:

“Pinexl" an entity, registered in the Commercial Register of the Registry Agency with UIC 205369793, with headquarters and business address:Sofia 1113, Latinka Str. 16, ent.A, fl.2, app.2; e-mail:

Grounds and purposes for which we use your personal information

We process your personal data on the following grounds:

  • Contract concluded between us and you in order to fulfill our obligations under it;

  • Your explicit consent - the purpose is stated on a case-by-case basis;

  • Under a legal obligation;

In the following paragraphs, you will find detailed information about the processing of your personal data, depending on the reason we process it.




We process your personal data in order to perform the contractual and pre-contractual obligations and to use the rights under the contracts concluded with you.


Processing Goals:

  • identification

  • managing and executing your request and executing a contract;

  • preparing an offer for concluding a contract;

  • preparation and sending a bill/ invoice for the services you use us;

  • to provide you with the full service you need, as well as to collect the due amounts for the services used ;

  • keeping correspondence in relation to previous orders, processing requests, reporting problems, and more.

  • notification of anything related to the services you use from us;

  • client history analysis;

  • identify and / or prevent unlawful actions or actions inconsistent with our terms of service;


Data we process on this ground:

Based on the agreement between you and us, we process information about the type and content of the contractual relationship as well as any other information related to the contractual relationship, including:

  • personal contact details - contact address, email, phone number;

  • identification data - name, email

  • data about the orders made;

  • correspondence in relation to the entire service - emails, letters, information about your requests for troubleshooting, complaints, requests, complaints, feedback we receive from you;

  • credit or debit card information, bank account number or other bank and payment information related to the payments made;

  • other information such as :

    • Customer ID, code or other identifier created for identification;

    • IP address when visiting our website;

    • Social Network Account Details

    • Information from your actions on the site

The processing of the above mentioned personal data is obligatory for us in order to be able to conclude the contract with you and execute it. Without providing us with this information, we would not be able to fulfill our contractual obligations.


We provide third parties with personal data

We provide your personal information to third parties, and our main purpose is to offer you quality, fast and comprehensive service. We do not provide  third parties with your personal data before making sure that all technical and organizational measures are taken to protect this data by striving to carry out strict control to meet this goal. In this case, we remain responsible for the confidentiality and security of your data.

We provide the following categories of recipients (personal data controllers) with personal data:

  • postal operators and courier companies;

  • persons who, by assignment, keep equipment, software and hardware used for the processing of personal data and necessary for the operation of the company

  • persons performing consultancy services in different spheres.


When do we delete the data collected on this basis?

The data collected on this basis will be erased 2 years after termination of the contractual relationship, whether due to expiration of the contract, termination or other grounds.



It is possible that we are obliged by the law to process your personal data. In these cases, we are required to do so. Examples for this obligations are:

  • Obligations under the Measures against Money Laundering Act;

  • Execution of obligations in relation to distance selling, off-premises sales provided by the Consumer Protection Act;

  • Providing information to the Consumer Protection Commission or third parties in connection with the Consumer Protection Act;

  • Provision of information to the Commission on the protection of personal data in relation to obligations provided by the legislation on the protection of personal data;

  • Obligations stipulated in the Accountancy Act and the Tax-Insurance Procedure Code and other related normative acts in relation to the lawful accounting;

  • Provision of information to the court and third parties, in the course of proceedings in the court, in accordance with the requirements of the normative acts applicable to the proceedings;

  • Age authentication when shopping online.


When do we delete personal data collected on this basis?

The data collected according to an obligation under the law is deleted after the collection and storage obligation has been fulfilled or dropped. For example:

  • under the Accountancy Act for the storage and processing of accounting data (11 years),

  • obligations to provide information to the court, competent state bodies, etc. grounds provided by current legislation (5 years).


Provision of 3rd parties with personal data

When we are required to do so by law, we may give your personal data to the competent governmental authority, a natural or legal person.




We process your personal data on this ground only after your expressly, unambiguously and voluntarily agree. We will not provide any unfavorable consequences for you if you refuse to agree your personal data to be processed.

Consent is a separate ground for the processing of your personal data and the purpose of the processing is specified therein and is not covered by the objectives listed in this policy. If you give us the appropriate consent and until we withdraw or terminate any contractual relationship with you, we prepare appropriate product / service suggestions for you by performing detailed analyzes of your basic personal data;

Advanced analytics is a method of performing an analysis that allows the processing of large volumes of data through statistical models and algorithms and others that involve the use of personal data as well as the processes of aliasing and anonymizing them to retrieve information about trends and different statistical indicators.


Data we process on this ground:

On this ground, we process only the data you have given us our explicit consent for. Specific data is determined for each individual case. Typically, this data is an email and a name.

Provision of data to third parties

We do not provide data to third parties

Withdrawal of consent

Consent submitted may be withdrawn at any time. Withdrawal of consent will not affect the performance of contractual obligations. If you withdraw your consent to the processing of personal data for any or all of the ways described above, we will not use your personal information and information for the purposes set forth above. Withdrawal of consent does not affect the lawfulness of consent-based processing prior to its withdrawal.

To withdraw your consent, you only need to use our site or simply contact us.


When do we delete the data collected on this basis?

The data collected on this basis is deleted at your request or 12 months after its initial collection.



We process your data for static purposes, this means for analyzes where the results are only generalized and therefore the data is anonymous. Identifying a specific person from this information is impossible.

Your data can also be anonymized. Anonymisation is an alternative to data deletion. In anonymization, any personal identifiable elements / elements that allow you to identify yourself are irrevocably deleted. Anonymized data is not legally obligatory for deletion because it does not constitute personal data.


How we protect your personal information

To ensure adequate data protection for the company and its customers, we apply all necessary organizational and technical measures provided in the Personal Data Protection Act.

For the sake of maximum security when processing, transferring and storing your data, we may use additional security mechanisms such as encryption, pseudonymisation, and more.

Personal data we have received from third parties

We do not get data from 3rd parties.

Consumer Rights

Each user of the site has all rights to protection of personal data in accordance with Bulgarian and European Union legislation.


The user can exercise their rights through the contact form or by sending a message to our email.

Each User is entitled to:

  • Awareness (in connection with the processing of his or her personal data by the controller);

  • Access to their own personal data;

  • Correction (if data is inaccurate)

  • Deleting personal data (right to be forgotten);

  • Restriction of processing by the controller or the processor of personal data;

  • Portability of personal data between individual controllers;

  • Appeal against the processing of his or her personal data;

  • The data subject may also not be the subject of a decision based solely on automated processing involving profiling that produces legal consequences for the data subject or similarly affects him or her significantly;

  • Entitlement to judicial or administrative redress if the rights of the data subject have been violated.


The user may request deletion if one of the following conditions is true:

  • Personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

  • The consumer withdraws his consent on which the processing of the data is based and no other legal basis for the processing;

  • The data user opposes the processing and there are no legitimate grounds for the processing that have an advantage;

  • Personal data has been tampered with;

  • Personal data must be deleted in order to comply with a legal obligation under Union law or the law of a Member State applicable to the controller;

  • Personal data have been gathered in connection with the provision of child information society services and consent is given by parental responsibility for the child.

The customer is entitled to restrict the processing of his personal data by the controller when:

  • Opposes the accuracy of personal data. In this case, the limitation of the processing is for a period that allows the controller to verify the accuracy of the personal data;

  • Processing is unlawful, but the User does not want personal data to be deleted but instead requires a limitation of their use;

  • The controller no longer needs personal data for the purposes of processing, but the User requires them to establish, exercise or protect legal claims;

  • Appeals against processing pending verification that the legitimate grounds of the controller have an advantage over the User's interests.


Right of portability.

The data subject has the right to receive the personal data that concerns him and which he has provided to an controller in a structured, widely used and machine readable format and has the right to transfer this data to another controller without hindrance by the controller to whom the personal data is provided when the processing is based on consent or a contractual obligation and the processing is done in an automated manner. When exercising its right to data portability, the data subject is also entitled to receive a direct transfer of personal data from one controller to another when technically feasible.


Right of objection.

Users have the right to object to the controller against the processing of their personal data. The Personal Data Administrator is required to discontinue the processing unless he can prove that there are convincing legal grounds for the processing that take precedence over the interests, rights and freedoms of the data subject or for the establishment, exercise or protection of legal claims. In case of objection to the processing of personal data for the purposes of direct marketing, the processing should be terminated immediately.


Appeal to the supervisory authority

Each User has the right to file a complaint against the unlawful processing of his personal data with the Personal Data Protection Commission or the competent court. You can 


Keeping a registry

We keep a Register of the processing activities for which we respond. This Register contains all of the following information:

  • Name and contact details of the controller

  • Targets of processing;

  • Description of categories of data subjects and categories of personal data;

  • The categories of recipients to whom personal data is or will be disclosed,

  • Including recipients in third countries or international organizations;

  • Where possible, the deadlines for deleting the different categories of data;

  • Where possible, a general description of the technical and organizational security measures.

Our company is hosted on the platform. provides us with the online platform that allows us to sell our products and services to you. Your data may be stored through’s data storage, databases and the general applications. They store your data on secure servers behind a firewall.

All direct payment gateways offered by and used by our company adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.

bottom of page