Write us
👋 Hello, "Zdravnitza" is available to answer your questions every working day from 9:00 AM to 5:00 PM (UTC+2)
> Personal data protection

PRIVACY POLICY (Personal Data Protection)

Last updated: 17.02.2026



This policy describes how “Zdravnitza” processes personal data when you use the online store at shop.zdravnitza.com, when you contact us, and when you visit our physical premises.

1. Who is the controller of personal data?

Controller:
“New S Net” Ltd. (Bulgarian company), UIC: 121797027 / VAT: BG121797027
Address: 74 Odrin St., Sofia, Bulgaria
Email: office@zdravnitza.com
Phone: +359 2 483 72 91
(hereinafter “Zdravnitza”, “we”, “us”, “controller”).


2. What personal data do we process?

Depending on how you use the Site and our services, we may process the following categories of data:

2.1. Identification and contact data

- first name, last name
- email address
- phone number
- delivery/billing address, city, country, postal code

2.2. Account and order data

- profile/account data (if you create an account)
- order history: products, quantities, values, discounts, used codes
- order/delivery/return/complaint statuses
- preferences (e.g., language)

2.3. Payment data

- payment method and transaction status/result (confirmed/declined). We do not store full payment card details; the payment providers process them.

2.4. Communications and customer service

- inquiries via email/form/phone, message content, and service history
- complaints/claims/feedback you send to us
- phone calls when contacting us (including call recordings where announced and applicable)

When you call our phone number, an automated message informs you that the call may be recorded. If you do not want your call to be recorded, you can place your order online, contact us by email, or use the Live chat. Recordings are stored on our own (on‑premises, hardware) PBX/telephony system, and only authorized persons have access.

2.5. Marketing data

- subscription/unsubscription status
- marketing preferences (categories/interests)
- email campaign activity (e.g., opens/clicks), where your email client allows this

2.6. Technical data and online identifiers

- IP address, device/browser identifiers
- security and performance logs
- data from cookies and similar technologies (see Section 9 and our Cookie Policy)

2.7. CCTV (where applicable)

- images from CCTV in our physical premises (where installed and properly signposted)

We do not aim to collect special categories of personal data (e.g., health data). If you voluntarily provide such information in free text, we will process it only to the extent necessary to respond and provide service.


3. Where do we obtain the data from?

- directly from you (registration, order, contact form, subscription, phone)
- automatically from your device/browser when you use the Site (logs, cookies – depending on your settings)
- from partners involved in fulfilling the order (couriers, payment providers) – e.g., delivery/payment statuses


4. Purposes and legal bases for processing

We process personal data only when we have a lawful basis under the GDPR.

4.1. Contract/steps before entering into a contract

- processing and fulfilling orders, deliveries, returns, and complaints
- creating and managing a customer account (if you create one)
- communication related to an order (confirmations, status updates, essential notifications)
- handling inquiries and orders by phone (including recorded calls where used for service)

4.2. Legal obligation

- accounting, tax, and commercial law obligations (invoices, accounting records, reports)
- compliance with requests from competent authorities where required by law

4.3. Legitimate interest

- fraud prevention and information security
- improving the Site and services (e.g., troubleshooting, performance)
- establishment, exercise, or defense of legal claims
- service quality control and protection in disputes/claims (including call recordings where announced)
- CCTV for security (where applicable and signposted)

We always balance our legitimate interests with your rights and freedoms. You have the right to object (see Section 11).

4.4. Consent

- sending marketing messages where consent is required by law
- use of analytics and marketing cookies/tracking on the Site (only after your choice in the cookie banner/settings)


5. Marketing messages, segmentation, and automations

We may send newsletters, promotional campaigns, and automated messages (e.g., abandoned cart, post‑purchase, birthday). Every marketing email contains an unsubscribe link. You may object to direct marketing at any time without affecting order processing.

When you are our customer, and we have obtained your email in connection with a purchase, we may send you messages about similar products and offers where this is permitted under applicable law. We always provide an easy opt‑out option in every message.

We do not perform automated decision‑making that produces legal effects for you.


6. Who do we share data with (recipients/processors)?

We do not sell personal data. We share data only when necessary and with appropriate contractual safeguards, for example, with:

- courier companies (delivery) – name, phone, address as needed
- payment providers/banks – transaction data and statuses
- accounting providers/auditors – where needed
- IT and hosting providers – infrastructure support and security
- email marketing / CRM automation platforms – sending campaigns and flows, segmentation, reporting
- analytics/advertising providers (e.g., Google Analytics, advertising platforms) – only where you have enabled the relevant cookie categories

We may disclose data to competent authorities where required by law.


7. Transfers outside the EEA

Some of our service providers may process or store data outside the European Economic Area (EEA), for example, in the United States or the United Kingdom, especially when using cloud services and marketing platforms.

Where transfers outside the EEA occur, we apply appropriate safeguards such as an adequacy decision (where applicable), Standard Contractual Clauses (SCCs), and/or additional technical and organizational measures, or other GDPR‑compliant mechanisms.

You can request information about the safeguards used via the contact details in Section 1.


8. How long do we keep the data (retention periods)?

- Orders/contract relations: for the duration of the relationship and afterwards – up to the applicable limitation periods and/or complaint/return deadlines
- Accounting and tax documents: according to legal retention requirements (typically up to 10 years)
- Marketing (newsletters/automations): until you unsubscribe/object or until we no longer have a valid legal basis
- Technical logs: for a reasonable period necessary for security and diagnostics
- Call recordings: up to 24 months; in case of dispute/complaint/legal claim – until final resolution and/or until the applicable limitation periods expire, but not more than 5 years
- CCTV: typically up to 14 days, unless needed for an incident/investigation/legal claim


9. Cookies, tracking, and consent settings

We use cookies and similar technologies. The categories are described in our Cookie Policy, including:

- Necessary (including functional/preferences) – always active, as they are required for the proper operation and security of the Site (e.g,. session, cart, account login, fraud prevention, essential settings). They do not require consent and cannot be disabled via our settings.
- Analytics – for measurement and improvement (only with your explicit consent).
- Marketing – for advertising/remarketing/personalization (only with your explicit consent).

You can manage your consents at any time via “Cookie settings” on the Site, as well as via your browser settings.

If an email platform uses onsite tracking (e.g. for abandoned cart or viewed products), this functionality is enabled only if you have allowed the relevant tracking/cookie category.


10. Data security

We apply technical and organizational measures to protect data (access control, SSL encryption, backups, monitoring). However, no system can be guaranteed to be 100% secure.


11. Your rights

You have the right to:

- access your data
- rectification
- erasure (“right to be forgotten”), where applicable
- restriction of processing
- data portability
- object to processing based on legitimate interests
- object to direct marketing (at any time)
- withdraw consent, where processing is based on consent (without affecting lawfulness before withdrawal)

To exercise your rights, please contact us using the details in Section 1. We may request additional information to verify your identity.


12. Complaint to the supervisory authority

If you believe your rights have been violated, you have the right to lodge a complaint with the Bulgarian supervisory authority:

Commission for Personal Data Protection (CPDP): 1592 Sofia, 2 “Prof. Tsvetan Lazarov” Blvd.; website: www.cpdp.bg; e-mail: kzld@cpdp.bg.


13. Children

The Site is not specifically directed at children. If we become aware that we process children’s data without a valid legal basis, we will take steps to delete or restrict such data.


14. Changes to this policy

We may update this policy due to changes in services, legislation, or providers. The current version is published on the Site with the date of the latest update.