The protection of the personal data and the protection of the personal and financial information of our clients are our top priority. That is why we process your information exclusively on the basis of the applicable legislation, in particular REGULATION (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (better known as GDPR), the Personal Data Protection Act (PDPA) and the Electronic Commerce Act (ECA).

WWW.PIZZA-BOX.BG is owned by HOT SPOT BG EOOD, which provides the service – delivery of food to an address or on-site. We take delivery orders by phone and online. We shall use the web-based platform Fast Menu for orders placed online.

WHO PROCESSES AND BEARS RESPONSIBILITY FOR YOUR PERSONAL DATA
HOT SPOT BG EOOD, (“us”), is a company entered in the Commercial Register at the Registry Agency. The services we provide you with require the processing of your personal data by HOT SPOT BG EOOD as CONTROLLER, subject to the terms and requirements for the measure for personal data protection under GDPR. HOT SPOT BG EOOD shall be responsible for the processing of your personal data.

TYPES OF DATA WE PROCESS
As our clients, you have to create a user profile containing the following personal data, namely:

  • Invoice data – names, phone number, city, country, postal code, address;
  • First and last name of the person for delivery;
  • Shipping address – country, city, postal code, address;
  • Phone number for delivery;
  • Method of delivery;
  • Method of payment;
  • Order number;
  • Payment status;
  • Delivery status;
  • Amount to be paid;
  • E-mail;
  • Order history;

As our customers, you can place a delivery order over the phone, in which case we shall collect the following personal data:

  • Invoice data – names, phone number, city, country, postal code, address;
  • First and last name of the person for delivery;
  • Shipping address – country, city, postal code, address;
  • Phone number for delivery;
  • Method of delivery;
  • Method of payment;

HOT SPOT BG EOOD also creates the following types of data in the process of providing its commercial services, namely: user profile /username and password/, cookies and Google Analytics, functionality and performance cookies, essential cookies, as detailed in the Cookie Policy.

GROUNDS FOR THE PROCESSING
“HOT SPOT BG” EOOD shall process your personal data on the basis of Article 6, paragraph 1, letter “a”, letter “b”, letter “c” and letter “f” of GDPR, namely:

Article 6, paragraph 1, letter “a” of GDPR – You have given consent to the processing of your personal data for the purposes of direct marketing – advertising, commercial messages, promotions, offers, etc. The data that shall be processed on this basis are cookies and Google Analytics, functionality and performance cookies, essential cookies, pursuant to the Cookie Policy;
Article 6, paragraph 1, letter “b” of GDPR – the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract; The data processed on this basis are detailed in Section II.
Article 6, paragraph 1, letter “c” of GDPR – the processing is necessary for compliance with a legal obligation to which WWW.PIZZA-BOX.BG/ is subject, such as obligations for commercial accounting, etc. The data processed on this basis are: first and last name, phone number, shipping address.
Article 6, paragraph 1, letter “f” of GDPR – the processing is necessary for the purposes of the legitimate interests pursued by WWW.PIZZA-BOX.BG/, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child. The data processed on this basis are: first and last name, e-mail and user profile.
PURPOSES OF THE PROCESSING

А/ For the purpose of concluding or executing a contract for the delivery of the dishes offered by WWW.PIZZA-BOX.BG
– Identifying a client when ordering online via the user profile;
– Identifying the recipient of the shipment;
– Delivering an order;
– Updating your personal data;
– Servicing and responding to customer complaints/inquiries/requests under Articles 15 – 22 of GDPR/petitions;
– Adjusting due amounts if warranted;
– Paying amounts on accepted orders;
– Processing by processors – assignment, reporting, acceptance, payment;
– Verification by sending an email to ensure the data access security for your profile and when changing your password;

B/ In fulfillment of its legal obligations, WWW.PIZZA-BOX.BG shall process your data for the following purposes:
– Invoicing, preparing a detailed statement where provided for in the client’s individual contract;
– Carrying out the financial and accounting processing of the contract with the client and for the tax and insurance control of the respective competent authorities.
– Performance of the obligation of the Controller for accountability by saving legally significant verification data in electronic protocols, technical log files;

C/ For the purposes of the legitimate interests of WWW.PIZZA-BOX.BG namely:
– tracking the fulfillment of each delivery;
– resolving all matters related to claims;
– facilitating the communication and assisting the persons in the initial period of using our services /providing – solutions to issues with user profiles, etc./;
– Preventing and investigating abuse of online orders and the deliveries related to them, as well as in cases of losses and fraud;
– Analysing statistical data obtained after anonymisation of your data.

D/ For marketing purposes:
– analysing the consumer demand and behavior;
– sending messages about promotions, offers;
– sending advertising and/or information messages.

MINORS AND JUVENILES
WWW.PIZZA-BOX.BG does not provide services to people under the age of 18. A person under the age of 18 may use our services only with the assistance of an adult who acts as a representative of the minor/juvenile. In the event that RETSAURANT – receives information that it has collected personal data from a person under the age of 18, they are to be erased immediately unless the law obliges WWW.PIZZA-BOX.BG — to store such data. If you believe that we have mistakenly or unknowingly collected information from a person under the age of 18, please contact us on:WWW.PIZZA-BOX.BG/

METHODS OF DATA COLLECTION
WWW.PIZZA-BOX.BG shall process only data provided by you – our clients. This means that you are responsible not to provide data of third parties in violation of their rights to personal data protection, because WWW.PIZZA-BOX.BG does not have access to these persons and has no practical ability to control whether the clients provide us with data of third parties with their knowledge and consent given in accordance with the legal requirements. Therefore, every data subject bears full personal responsibility if he/she provides us with data of a third party without his/her knowledge or without obtaining his/her consent in compliance with the requirements of the applicable data protection legislation, including with regard to names, phone numbers and addresses of the recipients of the shipments provided to us by a client.

WHERE DO WE STORE YOUR DATA
The data we collect from you shall be stored within the European Economic Area (EEA) in compliance with the national and European legislation, and in particular with REGULATION (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (better known as GDPR).

WHO HAS ACCESS TO YOUR DATA
WWW.PIZZA-BOX.BG shall not provide your personal data to third parties without legal or contractual grounds, and it shall not distribute data to third countries and international organisations outside the EU and EEA. WWW.PIZZA-BOX.BG shall use the FAST MENU web-based platform to fulfill tour orders. The transfer of your data to FAST MENU and/or to other processors shall be made solely for the purpose of providing the service/delivery of your choosing, for marketing campaigns aimed at enhancing the quality of the services provided to you and/or for the purpose of fulfilling legal obligations of WWW.PIZZA-BOX.BG namely: Transportation/courier companies for fulfillment of orders; Companies for technical analysis of the service such as hosting companies; The banks servicing the payments made by you; Persons performing consulting services in various fields – legal, accounting, auditing, including enforced collection of receivables, etc.; State administrative authorities – NRA, etc., where applicable in cases provided by the law.

PERIOD OF PROCESSING AND STORAGE DESTRUCTION OF DATA
After the fulfillment of a particular delivery and/or service or after have given your consent, your personal data shall be stored for the following periods:

10 years for accounting documents as of the beginning of the year following the year in which the accounting document was issued – first and last name, phone number, shipping address.
5 years from the fulfillment of a particular delivery and/or service in view of tracking the fulfillment of each delivery and resolving all matters related to claims – first and last name, phone number, shipping address, e-mail and user profile.
3 years from obtaining the consent – for e-mails with commercial and advertising messages, information materials, surveys, etc., as well as cookies and Google Analytics, functionality and performance cookies, essential cookies.
The destruction of personal data shall be carried out in compliance with a written procedure for that, according to the internal documents of WWW.PIZZA-BOX.BG

SECURITY MEASURES
WWW.PIZZA-BOX.BG has implemented a wide range of technical and organisational measures for protection of your personal data against loss or other forms of unlawful processing in accordance with Article 32 of GDPR.

The personal data are accessible only to those persons who need access in order to perform their work in connection with the fulfillment of our deliveries and/or services. These persons have been trained and authorised accordingly. The FAST MENU web-based platform, via which WWW.PIZZA-BOX.BG processes your orders, encrypts the information.

WHAT ARE YOUR RIGHTS
1.Right to access:
You are entitled to request at any time information about your personal data we store, the basis, the purposes, the periods of processing and storage, whether they have been provided to a processor or they have been destroyed, etc.

2. Right to rectification:
You have the right to rectification of your personal data if they are incorrect, including the supplementation of incomplete personal data.

3. Right to erasure/“right to be forgotten”/:
You have the right to erasure of all personal data processed by WWW.PIZZA-BOX.BG and its processors at any time unless the processing is necessary for at least one of the following purposes, namely:

exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which WWW.PIZZA-BOX.BG and/or its processors are subject;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing or establishing, exercising or defending legal claims.
4. Right to restriction
You have the right to request from WWW.PIZZA-BOX.BG – to restrict the processing of your personal data under the following circumstances:

the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
the data subject has objected to processing pursuant to Article 21, paragraph 1 of GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
5. Right to data portability:
When WWW.PIZZA-BOX.BG processes your personal data by automated means on the basis of your consent or on the basis of a contract, you have the right to receive a copy of your data in a structured, commonly used and machine-readable format transmitted to you or to another party. This includes only the personal data you have provided us with.

6. Right to object to the processing on the basis of a legitimate interest:
You have the right to object to the processing of your personal data on the basis of a legitimate interest of WWW.PIZZA-BOX.BG We shall no longer process your personal data unless demonstrated that there are compelling legitimate grounds for that, which override your interests and rights, or due to legal claims.

7. Right to be informed of a breach under Article 34 of GDPR:
When the personal data breach is likely to result in a high risk to your rights and freedoms, WWW.PIZZA-BOX.BG shall communicate the personal data breach to the data subject without undue delay describing the nature of the personal data breach and indicating at least:

the name and contact details of the data protection officer where more information can be obtained;
the likely consequences of the personal data breach;
description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The above information shall not be sent in the event of a security breach if WWW.PIZZA-BOX.BG — has met any of the following conditions:

it has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption or
it has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to above is no longer likely to materialize, or
the communication would involve disproportionate effort.
In the last hypothesis WWW.PIZZA-BOX.BG shall post a message on its website whereby the data subjects are informed in an equally effective manner.

EXERCISING YOUR RIGHTS
We take the protection of personal data very seriously, and therefore, we have a customer service team that handles your requests in relation to the above rights. You may always contact them on: WWW.PIZZA-BOX.BG

Please note that where your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may:

charge a fee taking into account the administrative costs of providing the information or communication or taking the action requested, or
refuse to act on the request.
We shall make reasonable efforts to uphold your request within 30 days of receiving your application. That period may be extended by two further months, where necessary, taking into account the complexity and number of the requests.

WITHDRAWAL OF CONSENT
You may withdraw your consent to the processing of your personal data at any time only for those purposes and that type of personal data which are necessary for the achievement of the specific purposes, we process on the basis of Article 6, paragraph 1, letter “a” of GDPR, as detailed in Section III and IV of this Policy, as well as in the Cookie Policy. In the event that you wish to withdraw your consent to the processing of the following personal data, namely: e-mails with commercial and advertising messages, information materials, surveys, etc., as well as cookies and Google Analytics, functionality and performance cookies, essential cookies, you may submit a written application to the above e-mail or you may follow the active link to fill out our withdrawal of consent form or see the Cookie Policy.

REPORTING IRREGULARITIES AND COMPLAINTS
If you consider that we have infringed your rights with regard to your personal data and that there is a risk of breaching the security of your personal data, you may report that on: WWW.PIZZA-BOX.BG/ Exercising the above rights shall not deprive you of the right to lodge a complaint. You may lodge a complaint with the Bulgarian supervisory authority – the Commission for Personal Data Protection. You can find more information at: www.cpdp.bg.