Herbacals OOD ("Herbacals", "we", "our", "us") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose and safeguard your information when you visit our website and purchase our products.
Please read this policy carefully. If you disagree with its terms, please discontinue use of our site.
1. Information We Collect
1.1 Information You Provide Directly
- Name, email address, postal address and phone number when you create an account or place an order
- Payment information (processed securely by our payment provider — we do not store card details)
- Communications you send us via email, contact forms or social media
- Newsletter subscription preferences
1.2 Information Collected Automatically
- IP address, browser type and operating system
- Pages visited, time on site and referring URL
- Cookies and similar tracking technologies (see Section 6)
- Device identifiers for fraud prevention
2. How We Use Your Information
We use your personal data for the following purposes, each of which has a lawful basis under GDPR:
- Order fulfilment: Processing and delivering your purchases (contractual necessity)
- Customer support: Responding to your queries and resolving complaints (legitimate interest)
- Marketing: Sending promotional emails where you have consented or made a recent purchase (consent / legitimate interest)
- Site improvement: Analysing usage patterns to improve user experience (legitimate interest)
- Legal compliance: Meeting our obligations under EU and Bulgarian law (legal obligation)
- Fraud prevention: Protecting our business and customers from fraudulent activity (legitimate interest)
3. How We Share Your Information
We do not sell your personal data. We share it only with:
- Courier and logistics partners who fulfil your delivery (e.g., Speedy, DPD, DHL)
- Payment processors (Stripe, PayPal) who handle transactions securely
- Email service providers for transactional and marketing communications (Mailchimp)
- Analytics providers (Google Analytics — with IP anonymisation enabled)
- Legal authorities where required by applicable law or court order
All third parties are bound by data processing agreements and may only use your data for specified purposes.
4. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes outlined in this policy:
- Order records: 7 years (Bulgarian tax law requirement)
- Account information: Until account deletion request + 30 days
- Marketing preferences: Until you unsubscribe
- Cookies: See Section 6
5. Your Rights Under GDPR
As an EU resident, you have the following rights:
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate data
- Right to erasure: Request deletion of your data ("right to be forgotten")
- Right to restriction: Request that we limit how we process your data
- Right to portability: Request your data in a machine-readable format
- Right to object: Object to processing based on legitimate interest or for direct marketing
- Right to withdraw consent: Where processing is based on consent, you may withdraw at any time
To exercise any of these rights, contact us at privacy@herbacals.eu. We will respond within 30 days.
6. Cookies
We use cookies and similar technologies to operate our website. Cookie categories:
- Strictly necessary: Session management, shopping cart, security (cannot be disabled)
- Analytical: Google Analytics for site performance tracking (opt-in)
- Marketing: Facebook Pixel, Google Ads remarketing (opt-in)
You can manage cookie preferences through our cookie consent banner or through your browser settings.
7. International Transfers
Some of our third-party service providers are based outside the EU/EEA. Where we transfer data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.
8. Children's Privacy
Our website and services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including SSL encryption, access controls, and regular security assessments. However, no internet transmission is 100% secure — you transmit data at your own risk.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. Where changes are material, we will notify you by email or prominent website notice.
11. Contact & Data Controller
The data controller is:
Herbacals OOD
Registered in Bulgaria
UIC: [Registration number]
Email: privacy@herbacals.eu
Address: Sofia, Bulgaria
You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP) at www.cpdp.bg.
