I. Introduction
Welcome to the website https://www.chemsys.bg/, maintained and managed by “Chemical Sys” Ltd., UIC 207720472, with registered office and address: Hisarya, 8 Hadzhi Dimitar St., Entrance A, Floor 5, Apartment 9.
By visiting and using this website, you agree to the rules for processing and protecting personal data set forth in this Privacy Policy. Please read it carefully. If you have any questions, you can contact us at office@chemicalsys.bg. If you do not agree with the terms described herein, please do not use this website.

II. Data Controller
“Chemical Sys” Ltd. is a personal data controller within the meaning of Regulation (EU) 2016/679 (GDPR). The company determines the purposes and means of data processing, takes the necessary technical and organizational measures for their protection, and guarantees the rights of data subjects.
Supervisory Authority:
Commission for Personal Data Protection
Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
Tel.: +359 2 915 35 18; +359 2 915 35 15; +359 2 915 35 19
E-mail: kzld@cpdp.bg, Website: www.cpdp.bg

III. Purpose and Scope of the Policy
This Policy aims to inform website visitors about:
• the types of personal data collected and processed;
• the legal basis and purposes of processing;
• data retention periods;
• the rights of individuals and how to exercise them;
• conditions for disclosure of data to third parties;
• the use of cookies;
• security measures and policy updates.
The Policy applies to all users of the website and to all activities related to the collection, processing, and storage of personal data carried out by the Controller.
 

IV. Key Definitions
For the purposes of this Policy, the following terms have the meanings given in Regulation (EU) 2016/679:
“Personal data” – any information relating to an identified or identifiable natural person, such as name, email address, phone number, location, IP address, etc.
“Processing” – any operation or set of operations performed on personal data, such as collection, storage, alteration, disclosure, deletion, etc.
“Controller” – the person or organization that determines the purposes and means of personal data processing.
“Processor” – a third party that processes personal data on behalf of the controller (e.g., a hosting service provider).
“Recipient” – a person or entity to whom personal data is disclosed.
“Consent” – freely given, specific, informed, and unambiguous indication of a data subject’s wishes by which they agree to the processing of their personal data.
“Personal data breach” – any breach of security leading to unauthorized access, loss, destruction, or disclosure of personal data.
 

V. Principles of Processing
The Controller ensures that personal data processing is carried out in accordance with the following principles:
  1. Lawfulness and transparency – data are collected and processed fairly and transparently.
  2. Purpose limitation – data are processed only for clearly defined and lawful purposes.
  3. Data minimization – only data necessary to achieve the purpose are collected.
  4. Accuracy – data are kept accurate and up to date.
  5. Storage limitation – data are kept only as long as necessary.
  6. Security and confidentiality – technical and organizational measures are taken to protect against unauthorized access, loss, or destruction.
 
VI. Categories of Personal Data Collected
1. Special categories of data
The Controller does not collect sensitive personal data (e.g., health status, ethnic origin, political beliefs). If such data are mistakenly provided, they are immediately deleted.
2. Data provided by users
• via phone contact – name and phone number, and if necessary, email address;
• via the website contact form – name, email address, and message content;
• via email – email address, name, and correspondence content;
• via social networks (e.g., Facebook Messenger) – name and message content;
• when purchasing goods or services – name, address, phone number, email, and payment details;
• when submitting complaints – name, address, phone number, email, and other necessary data for handling the claim.
3. Data from third parties
In rare cases, public registers (e.g., the Commercial Register) may be used to protect the Controller’s legitimate interests.
4. Automatically collected data
When visiting the site, the following may be collected: IP address, device type, browser, operating system, pages visited, duration and frequency of visits, date and time of access. 

VII. Cookies
The website uses cookies to ensure a better user experience and to collect statistical information about website usage.
Functional cookies – necessary for the normal operation of the site.
Analytical cookies – used to create anonymous statistics on user traffic and behavior.
Marketing cookies – applied only with explicit consent, allowing the display of personalized advertisements.
Users can manage their cookie preferences via their browser or through the “Cookie Policy” section on the website. 

VIII. Purposes of Processing
The Controller processes personal data for the following purposes:
  1. Providing services and fulfilling orders – including delivery of purchased goods or services.
  2. Communication with users – responding to inquiries, providing information, customer service.
  3. Compliance with legal obligations – e.g., accounting, tax requirements, guarantees, and complaints.
  4. Statistical and analytical purposes – improving website performance and functionality.
  5. Improving website security and protection – detecting abuse, preventing violations, and monitoring.
  6. Marketing and promotions – only with consent to receive newsletters or promotional messages.
 
IX. Data Retention Periods
Retention periods depend on the data category and purpose of processing:
• Inquiries via email or social networks – retained up to 1 year after communication ends.
• Purchase data – retained up to 10 years, in accordance with legal accounting and reporting requirements.
• Automatically collected data (logs, technical information) – usually retained up to 1 year.
• Complaint data – retained as long as necessary to resolve disputes and establish rights and obligations.
• Marketing data – retained until consent is withdrawn.
In all other cases, data are kept only for the period necessary to achieve the purpose, after which they are deleted or anonymized.
 

X. Data Recipients
The Controller may disclose personal data only to:
• data subjects – the individuals to whom the data relate;
• government authorities – when required by law (e.g., tax or regulatory bodies);
• service providers – accounting firms, hosting providers, courier and payment service providers, software maintenance, and traffic analysis companies;
• partners – when necessary for contract performance and only with sufficient data protection guarantees.
Data are not sold to third parties and are not used for unauthorized purposes. For transfers outside the European Economic Area, appropriate safeguards as required by the GDPR are applied.

XI. Data Security
The Controller applies technical and organizational measures to protect personal data from unauthorized access, loss, or destruction, including:
• use of SSL certificates for encrypted connections;
• storage of data on secure servers with restricted access;
• internal rules limiting access and processing only by authorized personnel;
• periodic security reviews and updates.
In case of a personal data breach that may endanger users’ rights, they will be notified in accordance with legal requirements.

XII. Rights of Individuals
Every user has the following rights:
  1. Right of access – to obtain confirmation whether and what data are processed about them.
  2. Right to rectification – to request correction or completion of inaccurate data.
  3. Right to erasure (“right to be forgotten”) – to request deletion of their data when there is no legal basis for further processing.
  4. Right to restriction of processing – in cases provided by law.
  5. Right to data portability – to receive their provided data in a structured, machine-readable format and transfer it to another controller.
  6. Right to object – to object to data processing for legitimate interest or direct marketing purposes.
  7. Right to withdraw consent – when processing is based on consent, it may be withdrawn at any time.
  8. Right to lodge a complaint – with the Commission for Personal Data Protection or the court if rights have been violated.
 
XIII. Procedure for Exercising Rights
To exercise their rights, data subjects may submit a request to the Controller:
• by post to the address of “Chemical Sys” Ltd.;
• by email to office@chemicalsys.bg
The request must include identifying information and a description of the right to be exercised. If necessary, the Controller may request additional information to verify identity and prevent abuse or unauthorized access.
The Controller reviews each request and responds within 1 month of receipt. For complex or multiple requests, the period may be extended by up to 2 additional months, and the individual will be notified in due time. If a request is denied, the Controller will state the reasons and inform the individual of their right to appeal to the supervisory authority.

XIV. Changes to the Policy
This Privacy Policy may be updated periodically to reflect changes in legislation or in the Controller’s practices. All changes will be published on the website, indicating the date of the latest revision. Users are encouraged to review this page regularly to stay informed of the most recent terms.

XV. Contact Information
If you have any questions regarding this Privacy Policy or wish to exercise your rights, you can contact us at:
Email: office@chemicalsys.bg